b'       REDACTED \xe2\x80\x93 PUBLIC VERSION\n\n\n\n\nSENTINEL AUDIT II: STATUS OF\n   THE FEDERAL BUREAU OF\n    INVESTIGATION\xe2\x80\x99S CASE\n     MANAGEMENT SYSTEM\n\n       U.S. Department of Justice\n     Office of the Inspector General\n              Audit Division\n\n          Audit Report 07-03\n           December 2006\n\n\n       REDACTED \xe2\x80\x93 PUBLIC VERSION\n\x0c   SENTINEL AUDIT II: STATUS OF THE FEDERAL BUREAU OF\n       INVESTIGATION\xe2\x80\x99S CASE MANAGEMENT SYSTEM\xe2\x88\x97\n\n                       EXECUTIVE SUMMARY\n\n      On March 16, 2006, the Federal Bureau of Investigation (FBI)\nannounced that it had awarded a contract to Lockheed Martin Services,\nIncorporated (Lockheed Martin) to develop the Sentinel information\nand investigative case management system in 4 phases. The cost of\nthe four phases of the Lockheed contract was $305 million, and the\nFBI estimated that it would cost an additional $120 million to provide\nvarious contractor support and staff the FBI\xe2\x80\x99s Sentinel Program Office,\nwith the total estimated cost of Sentinel at $425 million. The initial\nschedule for the Lockheed Martin contract calls for all phases to be\ncompleted in December 2009.\n\n      The Sentinel project, which uses commercial off-the-shelf\ncomponents, is intended to provide the FBI with an electronic\ninformation management system, automated workflow processes,\nsearch capabilities, and information sharing with other law\nenforcement agencies and the intelligence community. The FBI\nDirector has stated, \xe2\x80\x9cSentinel will strengthen the FBI\xe2\x80\x99s capabilities by\nreplacing its primarily paper-based reporting system with an electronic\nsystem designed for information sharing. Sentinel will support our\ncurrent priorities, including our number one priority: preventing\nterrorist attacks.\xe2\x80\x9d1\n\n       Sentinel follows the FBI\xe2\x80\x99s unsuccessful 3-year, $170 million\neffort to develop a modern investigative case management system\ncalled the Virtual Case File (VCF) as part of the FBI\xe2\x80\x99s Trilogy\ninformation technology (IT) modernization project. The VCF, and now\nSentinel, was intended to provide the FBI with a modern system so\nthat the existing obsolete Automated Case Support (ACS) system\ncould be retired. As detailed in the Office of the Inspector General\xe2\x80\x99s\n(OIG) February 2005 audit report on the FBI\xe2\x80\x99s Trilogy project, the VCF\nproject failed for a variety of reasons, including poorly defined design\n\n      \xe2\x88\x97\n       THE FULL VERSION OF THIS REPORT INCLUDED INFORMATION THAT THE\nFBI CONSIDERED TO BE SENSITIVE PROPRIETARY INFORMATION. TO CREATE THIS\nPUBLIC VERSION OF THE REPORT, THE OIG REDACTED (DELETED) THE SENSITIVE\nPORTIONS AND NOTED THAT THE INFORMATION WAS REDACTED.\n      1\n        FBI Press Release entitled FBI Announces Award of Sentinel Contract,\nMarch 16, 2006.\n\n\n                                       -i-\n\x0crequirements, lack of mature Information Technology Investment\nManagement (ITIM) processes, and poor management continuity and\noversight.2\n\n      The Sentinel contract, awarded to Lockheed Martin through a\nGovernment-Wide Acquisition Contract (GWAC), is a cost-plus-award-\nfee contract that uses task orders to complete work for each phase of\nthe project.3 While this type of contract proved problematic under\nTrilogy, we have found that the FBI has made considerable progress in\nestablishing controls and processes required to adequately manage a\nmajor IT development project such as Sentinel and to bring it to a\nsuccessful conclusion \xe2\x80\x93 if the processes are followed and controls are\nimplemented as intended.\n\n      The OIG performed this audit of the Sentinel project at the\nrequest of the FBI Director and congressional appropriations and\noversight committees. This audit is the second in a series of audits\nthat the OIG intends to conduct, as Sentinel progresses, to evaluate\nthe progress and implementation of Sentinel. The first audit, issued in\nMarch 2006, assessed the FBI\xe2\x80\x99s pre-acquisition planning for and\ncontrols over Sentinel.\n\n       The objective of this second audit was to determine: (1) the\nprogress the FBI has made in resolving the concerns identified in our\nfirst report on the planning for Sentinel, and (2) if the contract with\nLockheed Martin and the FBI\xe2\x80\x99s ITIM processes and project\nmanagement are likely to contribute to the successful implementation\nof Sentinel. Our future audits will examine the progress of Sentinel\nover its four phases and assess whether cost, schedule, performance,\nand technical benchmarks are being met.\n\nBackground of Sentinel\n\n      A major objective of the FBI\xe2\x80\x99s IT modernization project is to\nreplace the FBI\xe2\x80\x99s antiquated ACS system. During a variety of OIG\nreviews over the past several years, we reported that ACS uses\noutmoded technology, is cumbersome to operate, and does not\nprovide necessary workflow and information-sharing functions.\n\n       2\n         The Department of Justice, Office of the Inspector General, The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information Technology\nModernization Project, Audit Report Number 05-7, February 2005.\n       3\n         An award fee is a financial incentive provided to a contractor based on the\ncontractor\xe2\x80\x99s performance.\n\n\n                                        - ii -\n\x0c       The FBI expects that Sentinel will provide it with a web-enabled\ncase management system that includes records management,\nworkflow management, and evidence management; and records\nsearch and reporting capabilities, all of which will replace its current\npaper-based case management system. The FBI intends to implement\nSentinel in four phases over 45 months, with each phase providing\ndistinct capabilities until the overall project is completed in December\n2009. The FBI expects to complete each of the phases in 12 to 16\nmonths, with the phases overlapping by 1 to 2 months. For example,\nPhase 2 will begin about 2 months before Phase 1 is completed.\n\n     According to the FBI, the four phases will provide the following\ncapabilities.\n\n      \xe2\x80\xa2   Phase 1 will provide the web-based Sentinel portal. Initially,\n          the portal will allow access to ACS data and eventually to data\n          in the new case management system. It will also include a\n          case management \xe2\x80\x9cworkbox\xe2\x80\x9d that will summarize a user\xe2\x80\x99s\n          workload (the case files an agent or analyst is working on),\n          and provide automatic indexing in case files according to\n          person, place, or thing.\n\n      \xe2\x80\xa2   Phase 2 will begin the transition to a paperless case records\n          system by providing electronic case document management\n          and a records repository. A workflow tool will support the\n          movement of electronic case files through the review and\n          approval process, while a security framework will provide\n          access controls and electronic signatures.\n\n      \xe2\x80\xa2   Phase 3 will provide a new Universal Index (UNI), which is a\n          database of people, places, or things that relate to a case.\n          Expanding the number of attributes in the system will enable\n          more precise searching and will enhance agents\xe2\x80\x99 ability to\n          \xe2\x80\x9cconnect the dots\xe2\x80\x9d among cases.\n\n      \xe2\x80\xa2   Phase 4 will implement Sentinel\xe2\x80\x99s new case management and\n          reporting capabilities, including the management of tasks and\n          evidence. During this phase, Sentinel will be connected to\n          ACS, data on closed cases will be migrated from ACS to\n          Sentinel, and the process to retire ACS will begin.\n\n     We reviewed the progress the FBI has made since our March\n2006 report, the requirements of the Sentinel contract, the FBI\xe2\x80\x99s\n\n\n                                  - iii -\n\x0capplication of its ITIM processes through its Life Cycle Management\nDirective (LCMD), and the controls the FBI has established over the\nSentinel project to help avoid the problems the FBI encountered with\nthe Trilogy project.\n\n       We found that the FBI has resolved most of the concerns we\nidentified in our first Sentinel audit, although some aspects of those\nconcerns as well as some new concerns identified in our current audit\nbear continued monitoring. Specifically, the FBI has made progress in:\n(1) establishing cost tracking and control processes, (2) implementing\nan Earned Value Management (EVM) system to help measure progress\ntoward project baselines, (3) developing plans for the Independent\nVerification and Validation (IV&V) of the system software to ensure it\nwill operate as intended, (4) developing information sharing\ncapabilities, and (5) hiring more Program Management Office (PMO)\nstaff.\n\n      Among the areas warranting continued monitoring by the FBI,\nthe OIG, and other oversight entities are the: (1) funding of the\nSentinel project and the effect on the FBI\xe2\x80\x99s operations or other FBI\nprojects of any reprogramming of funds that might be required\n(2) accuracy of the estimated cost of the project, (3) availability of\ncontingency plans for identified project risks, and (4) completion of\nSentinel PMO staffing.\n\n      In sum, the project is still in its early stages and has not yet\nreached the most difficult phases. However, we believe that the\nprocesses the FBI has established to manage and control the Sentinel\nproject \xe2\x80\x93 if implemented and carefully followed as Sentinel develops \xe2\x80\x93\ncan provide reasonable assurance that Sentinel can be successful and\nthat any deviations from cost, schedule, technical, or performance\nbaselines can be identified.\n\nSentinel Contract\n\n      The FBI awarded to Lockheed Martin a cost-plus-award-fee\ncontract through a National Institutes of Health government-wide\nacquisition contract (GWAC).4 Actual work under the contract will\noccur project phase by project phase through task orders.5 The cost\n\n       4\n        The development contract under the GWAC is cost-plus-award-fee.\nHowever, all materials are cost-plus-fixed-fee and travel is cost reimbursable only.\n       5\n         A task order specifies the services required and the negotiated terms at\nwhich they will be provided, subject to the terms of the contract.\n\n\n                                        - iv -\n\x0cof the task order for Phase 1 of Sentinel is $57 million. According to\nthe contract, the FBI may exercise options for $248 million to cover\nthree additional phases of the project plus operations and\nmaintenance. Therefore, the total contract with Lockheed Martin could\ntotal $305 million. According to the contract, Lockheed Martin can\nalso be rewarded for meeting established goals in four areas: project\nmanagement, cost management, schedule, and technical performance.\nThe award fee cannot exceed xx percent of the $232.4 million total\ndevelopment costs for Sentinel, or approximately $26 million, and will\nbe allocated across the four areas based on risk. This type of contract\nand award fee structure is common for large government IT projects.\n\n       In our 2005 report on the FBI\xe2\x80\x99s Trilogy project, we described our\nconcerns with the cost-plus-award-fee contract as it was implemented\nby the FBI in that project. The cost-plus-award-fee contract used for\nTrilogy did not: (1) require specific completion milestones, (2) include\ncritical decision review points, and (3) provide for penalties if the\nmilestones were not met. With regard to the Sentinel contract, the\nFBI is establishing clear milestones and requiring critical decision\nreview points. If the contractor does not meet its milestones, it will be\npenalized by loss of the award fee.\n\nProgress in Addressing the OIG\xe2\x80\x99s Past Concerns\n\n       The FBI has made good progress in addressing the concerns we\nidentified in our March 2006 audit report. As we describe in the\nfollowing sections, our audit found that although some concerns\nremain, the FBI has: (1) hired or selected staff to meet current\nvacancies for the Sentinel PMO and has had management stability,\n(2) required that Sentinel meet a new joint Department of Justice and\nDepartment of Homeland Security information sharing standard, which\nwill allow Sentinel to communicate with other systems built to the\nstandard, (3) established an EVM system to monitor the Sentinel\nproject\xe2\x80\x99s costs and schedule, (4) established layers of review,\napproval, and reporting for Sentinel spending, and (5) completed plans\nfor the IV&V of Sentinel\xe2\x80\x99s software to ensure it will perform as\nintended.\n\nStaffing\n\n       The FBI has made progress in staffing the Sentinel PMO since\nour first report. Of a total planned staff of 73, as of October 2006, 65\n\n\n\n\n                                  -v-\n\x0cpositions had been filled compared to 51 in March 2006.6 The FBI said\nit has intentionally delayed filling six of the vacant positions until the\nsecond phase of Sentinel. Two other positions remain vacant, an\nintelligence analyst and a planner. The Chief of the Business\nManagement Unit said the PMO has taken steps to expedite hiring,\nincluding interviewing applicants who had applied to an FBI-wide job\nannouncement for computer scientists.\n\nInformation Sharing\n\n       In our March 2006 report, we expressed concerns that the FBI\nwas focused on sharing information within the FBI but had not paid\nsufficient attention to Sentinel\xe2\x80\x99s ability to share information with other\nlaw enforcement and intelligence agencies\xe2\x80\x99 systems. Since that\nreport, the FBI has focused more attention on external information\nsharing needs and has been coordinating with the Departments of\nJustice and Homeland Security and other federal entities, including the\nDrug Enforcement Administration, Immigration and Customs\nEnforcement, and the Office of the Director of National Intelligence.\nSentinel will be built to meet the standards of the new National\nInformation Exchange Model, a joint Department of Justice and\nDepartment of Homeland Security standard, which is also supported\nby the Director of National Intelligence. When finalized, the standard\nwill become the government-wide standard for any new law\nenforcement and intelligence systems being developed.7 However, the\nstandard is still evolving, and Sentinel\xe2\x80\x99s design may have to be\nmodified as the standard evolves.\n\nEarned Value Management\n\n      EVM is a tool that measures the performance of a project by\ncomparing the variance between established cost, schedule, and\nperformance baselines with what is actually taking place. These\nvariances are measured periodically to give project managers a\nperspective on the status of a project and an early warning if a project\n\n\n\n       6\n          The number of filled positions includes three candidates who had accepted\npositions and were in the process of being hired.\n       7\n          The Sentinel statement of work, which was developed prior to the release\nof the draft National Information Exchange Model, requires Sentinel to be built to the\nGlobal Justice XML Model. However, the Sentinel Program Manager said that\nSentinel\xe2\x80\x99s design will ultimately conform to the new National Information Exchange\nModel standards.\n\n\n                                        - vi -\n\x0cis heading for trouble. EVM reporting is an important risk-\nmanagement tool for a major IT development project.\n\n      The FBI and Lockheed Martin have implemented EVM systems in\naccord with Office of Management and Budget (OMB) requirements to\ntrack and validate Sentinel project costs throughout the life of the\nproject. In addition to data provided by Lockheed Martin, the FBI\xe2\x80\x99s\nEVM system relies on cost data provided through invoices from support\nservices contractors and the FBI\xe2\x80\x99s Budget Execution and Analysis\nReporting System, which extracts purchase order information from the\nFBI\xe2\x80\x99s Financial Management System and generates reports on funds\nrequested, amounts approved and spent, and obligations that have not\nyet entered the FBI\xe2\x80\x99s overall Financial Management System. The FBI\nis required to report to the OMB any net cost or schedule variations by\nthe FBI and the contractor that meet a reporting threshold.\n\n      The FBI is using the EVM system to help manage project risks by\nproviding an early warning of unexpected costs and problems that\ncould delay Sentinel\xe2\x80\x99s completion. We are monitoring the FBI\xe2\x80\x99s EVM\nreporting to identify any unexplained growth in overall project costs or\nany schedule delays. Three early EVM reports indicated some\nvariances, but the variances were due to estimating errors by the\ncontractor, which have been corrected.\n\nCost Tracking and Controls\n\n       The OIG\xe2\x80\x99s prior reviews of the Trilogy project found that the FBI\nlacked an effective, reliable system to track and validate the Trilogy\nproject\xe2\x80\x99s costs. In our current audit work, we found that in addition to\nEVM reporting, the FBI has established controls to help ensure that\nSentinel expenditures are authorized in advance and that items are\nverified when delivered and validated when invoiced. For example, the\nFBI has developed a system of overlapping responsibilities for the\noversight of Sentinel\xe2\x80\x99s costs that include: accounting, auditing, and\nbudget monitoring by the FBI\xe2\x80\x99s Finance Division; detailed tracking of\nSentinel\xe2\x80\x99s costs by the Office of the Chief Information Officer\xe2\x80\x99s IT\nFinancial Management Unit; and tracking and controlling program and\ndevelopment costs and developing policies and procedures for\nprocessing invoices, requisitioning and procuring equipment, reviewing\ncontractor time charges, and resolving discrepancies by the Sentinel\nPMO Business Management Unit. We believe that the tracking systems\nand controls the FBI has implemented will allow the FBI to be better\nmonitor and control project costs for Sentinel than was the case under\nTrilogy.\n\n\n                                 - vii -\n\x0cDocumentation Required by ITIM Processes\n\n      Although the FBI had established sound IT investment\nmanagement processes through its Life Cycle Management Directive\n(LCMD), we noted in our last report on Sentinel that two key plans had\nnot yet been developed because the project design had not been\ncompleted: IV&V and the system security plan. The IV&V process\nprovides an independent control to monitor the testing of the system\nsoftware and ensure it functions as intended. The FBI\xe2\x80\x99s Chief\nInformation Officer (CIO) recently told us that the FBI awarded its\nIV&V contracts to eight vendors and that it had awarded a task order\nto Booz Allen Hamilton to monitor Lockheed Martin\xe2\x80\x99s testing of the\nsystem software during the development of the Sentinel system.8\n\n      A system security plan is also critical to help ensure that Sentinel\nwill meet the FBI\xe2\x80\x99s security standards and can be certified and\naccredited for use within the FBI\xe2\x80\x99s operating environment. The CIO\nrecently told us that the security plan has been drafted and is in the\napproval process.\n\n       In accordance with the FBI\xe2\x80\x99s LCMD, the final design for the first\nphase of the Sentinel project will occur in October 2006. However,\nbecause Lockheed Martin will be using off-the-shelf components to\ndevelop Sentinel, the complication and risk of the project design\nshould be lessened, although configuring all of the components into\none seamless system will remain a greater challenge. The FBI stated\nthat it will conduct future planning, including requirements verification,\nprior to the initiation of subsequent phases in order to solidify the\ndesign and deliverables for each phase\n\nCurrent Concerns\n\n       The FBI has made strides in resolving most of the concerns\ndiscussed in our March 2006 audit report, although some aspects of\nthose concerns remain. Also, in our current audit work we have\nidentified additional concerns that warrant continued monitoring by\nboth the FBI and the OIG. One concern carries over from our previous\nreport \xe2\x80\x93 the possibility of a reprogramming of the FBI\xe2\x80\x99s non-IT funds\nto cover fiscal year 2007 Sentinel expenses, which may have an\nadverse affect on the FBI\xe2\x80\x99s mission capabilities. In addition, we were\n\n\n       8\n         At the time our audit, the specific IV&V activities for Sentinel had not been\ndetermined. However, IV&V may include oversight of program management\nprocesses and assessments related to the development contractor\xe2\x80\x99s performance.\n\n\n                                        - viii -\n\x0cunable to validate the FBI\xe2\x80\x99s cost estimate for Sentinel, and we found\nthat the FBI lacks contingency plans for all of the highly rated project\nrisks it has identified.\n\nProject Funding and Reprogramming\n\n       We found that the FBI faces uncertainty over the source of the\napproximately $150 million the FBI says it needs in fiscal year (FY)\n2007 to continue the Sentinel project. The President\xe2\x80\x99s FY 2007 budget\nrequest includes $100 million for Sentinel, and the FBI would need an\nadditional $56.7 million to bridge the gap between the requested funds\nand its FY 2007 requirements for Sentinel. The FBI expects to have\nabout $50 million remaining from the first phase of Sentinel and prior\nyear unexpended balances from other sources. Moreover, the FBI\xe2\x80\x99s\nCIO recently told us that an FY 2007 appropriation of less than $100\nmillion would be cause for concern and could result in an unanticipated\nlevel of reprogramming of FBI resources to fund the Sentinel project.\nIn our judgment, any reprogramming significantly above $50 million\nwill require the FBI to carefully consider which programs and activities\nwill be affected and how to monitor the overall impact on the FBI\xe2\x80\x99s\nmission.\n\n      As we reported in our first Sentinel audit, various FBI managers\ntold us that a second reprogramming of FBI funds similar in size to the\n$97 million reprogramming that occurred in November 2005 could\nerode the FBI\xe2\x80\x99s mission capability in counterterrorism, cybercrime, and\nother important operational areas. Therefore, until the funding issues\nare addressed, we remain concerned about the impact that\nreprogramming significant amounts of non-IT funds to support\nSentinel would have on other critical FBI priorities.\n\n       With respect to total project costs, the FBI CIO told us that he\nstands by the FBI\xe2\x80\x99s estimate that the full cost of Sentinel will be $425\nmillion, with $305 million to cover work by Lockheed Martin on a\nvariety of task orders and an additional $120 million to cover costs\nsuch as staffing the FBI\xe2\x80\x99s Program Management Office, contractor\nsupport, and management or risk reserve for contingencies. Training\ncosts are included in the Lockheed Martin portion of the estimate,\nwhich was a concern we noted in our last Sentinel report when the FBI\nhad not yet developed a complete cost estimate for its training plans.\n\n\n\n\n                                  - ix -\n\x0cCost Estimates\n\n      We reviewed the processes used to derive the $425 million cost\nestimate for the Sentinel project, noted some inconsistencies in the\nprocess and the results, and concluded that the estimate is a rough\napproximation of Sentinel\xe2\x80\x99s overall costs. The estimate is, in our view,\ntentative given the variances in the supporting cost estimates and the\ninherent complexity of estimating costs for a major IT system before\nthe design is finalized.\n\n      In examining the underlying estimates for the overall project\ncost, we are unclear as to whether the initial cost estimate accurately\nincluded the project\xe2\x80\x99s operations and maintenance costs through\nFY 2011. We found that some portions of the estimate provide costs\nfor 2 years, while other portions include costs for 3 years. Another\nestimate showed significant disparities in Lockheed Martin\xe2\x80\x99s labor\ncosts. Variations in the estimates of Sentinel\xe2\x80\x99s projected costs\ndemonstrate the difficulty of estimating the cost of such a complex\ninformation technology project at its outset.\n\n        Because of these estimation difficulties, and because the project\nis in its early stages, we could not validate the FBI\xe2\x80\x99s overall estimate\nof $425 million for Sentinel, and we believe that the ultimate cost\ncould be lower or higher. We noted that the overall management\nreserve for the project \xe2\x80\x93 a budgeted amount to cover any\nunanticipated expenses \xe2\x80\x93 currently amounts to about 15 percent of\nSentinel\xe2\x80\x99s development costs. The Sentinel Program Manager told us\nthat based on his experience, an 11 percent reserve would be\nadequate (the difference amounts to about $8.6 million). The FBI\nexpects to adjust the amount of the reserve so that over the length of\nthe project the reserve will equal 11 percent of the development cost.\nAs the FBI finalizes Sentinel\xe2\x80\x99s design and gains experience with actual\nproject costs, the FBI should regularly update its estimate of the\noverall project costs to keep Congress and the Department informed.\nIn addition, we intend to continue to monitor the cost of the project as\nit progresses.\n\n      In addition to the Sentinel project cost estimates, we identified\ncosts that could be considered as associated with Sentinel but are\nseparate projects and therefore not included as part of Sentinel\xe2\x80\x99s\nprojected $425 million cost. For example, the implementation of\nSentinel will require changes to the FBI\xe2\x80\x99s National Name Check\nsystem. In response to a request from a federal, state, or local\nagency, the National Name Check Program queries FBI records to\n\n\n                                  -x-\n\x0cdetermine whether the person named in the request has been the\nsubject of an FBI investigation or mentioned in an FBI investigation.\nThe data system used by the program relies very heavily on the ACS\nsystem, which Sentinel is intended to replace. The estimated cost of\nupdating the existing name check system to work with Sentinel is over\nxxxxxxxx. In addition, the FBI has ongoing agency-wide security\nefforts that will benefit Sentinel. If these separate projects were\nincluded as Sentinel costs, the $425 million cost estimate could be at\nleast $25 million higher.\n\n       The FBI\xe2\x80\x99s position is that these separate projects are enterprise-\nwide endeavors that will benefit the FBI\xe2\x80\x99s overall IT structure,\nincluding Sentinel but also many other FBI systems. The CIO and the\nSentinel Program Manager contend that these other projects were\ninitiated on their own merits, would be undertaken regardless of\nSentinel, and their costs ought not be considered as Sentinel costs.\nWhile we agree that these Sentinel-related projects may not be direct\nSentinel costs, in our view the scope of the Sentinel project would be\nlarger if it was not supported by these other investments.\n\nRisk Management\n\n      The purpose of risk management is to assist the project\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\nprogram. A risk management plan identifies procedures used to\nmanage risk throughout the life of the program. Risks are categorized\nby severity and identified as either open or resolved. Open risks are\ntracked until resolved.\n\n       The FBI has created a list of 20 risks associated with the Sentinel\nproject that it is monitoring. While the FBI\xe2\x80\x99s establishment of a risk\nmanagement program is a positive step, contingency plans, and the\ntriggers for activating such plans, currently exist for only three risks \xe2\x80\x93\nincluding only one of the top five risks. The Program Manager told us\nthat in some cases it is difficult to develop a contingency plan before\nthe FBI\xe2\x80\x99s preventive actions mitigate the likelihood or severity of the\nrisk or before the risk. He explained that the focus is on preventing\nproblems that would rise to the level of requiring mitigation, and that if\na problem occurs, a corrective action will be developed. He also told\nus that many risks are temporary and as a project phase progresses,\nthe risk may become moot and is closed. However, we believe the FBI\nshould have a plan for risks that have the potential to result in a\n\n\n\n                                  - xi -\n\x0csignificant cost, schedule, or performance deviation from the project\nbaselines.\n\n       With respect to currently identified project risks, we view the\nFBI\xe2\x80\x99s ability to successfully migrate data from the antiquated ACS\nsystem to Sentinel as a potentially significant challenge. If the\nmigration were to fail or be seriously delayed, the FBI would need to\ntry maintaining its legacy ACS system with all of its flaws. An inability\nto migrate the ACS data would also result in a Sentinel system that\nbuilds its data from the present day forward, without the benefit of\nyears of investigative data compiled in the old system. Further, should\nACS cease to be maintainable, that data could effectively be lost. The\nSentinel Program Manager told us that the task of \xe2\x80\x9ccleaning\xe2\x80\x9d and\nreconciling the ACS data for migration into Sentinel is not technically\ndifficult and the FBI plans to use an available software tool for that\npurpose. However, he pointed out that it will take a significant\namount of work to accomplish. He also said that as a preventative\nmeasure intended to eliminate any delays in the overall project due to\ndata cleansing, the FBI plans to cleanse data in the phase preceding\nthe phase in which the data will be transferred to Sentinel.\n\n      Another potential risk is the extent to which Sentinel will actually\nuse commercial-off-the-shelf software modules as intended. A high\ndegree of customization of the software could result in increased costs\nand schedule delays. The Program Manager told us that the\ncomponents for Sentinel are all off-the-shelf and little or no\ncustomization is anticipated. However, the key task will be configuring\nSentinel\xe2\x80\x99s various applications \xe2\x80\x93 such as the workflow, document\nmanagement, searching and reporting, and electronic signatures \xe2\x80\x93 to\nall work together. The Program Manager noted that Lockheed Martin\nhas successfully configured similar systems in other major projects,\nusing some of the same software modules, including one at the Social\nSecurity Administration.\n\nIT Investment Management Processes\n\n      In November 2004, the FBI established its IT investment\nmanagement processes through its LCMD, which it has since refined\nand is applying to the Sentinel project. The LCMD governs all aspects\nof an IT project, including planning, acquisition, development, testing,\nand operations and maintenance. The FBI\xe2\x80\x99s LCMD contains four\noverlapping components: life cycle phases, control gates, project level\nreviews, and key support processes.\n\n\n\n                                  - xii -\n\x0c      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects:\n(1) concept exploration, (2) requirements development, (3) acquisition\nplanning, (4) source selection, (5) design, (6) development and\ntesting, (7) implementation and integration, (8) operations and\nmaintenance, and (9) retirement.9 As of August 2006, the Sentinel\nproject had passed through the first four life cycle phases and is\ncurrently in the fifth phase \xe2\x80\x93 Design.\n\n      During the life cycle phases, specific requirements must be met\nfor the project to obtain the necessary FBI management approvals to\nproceed to the next life cycle phase. The approvals occur through\ncontrol gates, where FBI management boards meet to discuss and\napprove or disapprove a project\xe2\x80\x99s progression to future phases of\ndevelopment or implementation. The control gate reviews provide\nmanagement control and direction, decision-making, coordination,\nconfirmation of successful performance of activities, and determination\nof a system\xe2\x80\x99s readiness to proceed to the next life cycle phase.\nDecisions made at each control gate review dictate the next step for\nthe IT program or project and may include: allowing an IT program or\nproject to proceed to the next segment or phase, directing rework\nbefore proceeding to the next segment or phase, or terminating the IT\nprogram or project.\n\n       The Sentinel project has received management approval for the\nfirst two of the LCMD control gates: the system concept on July 15,\n2005, and the acquisition plan on July 29, 2005. As of September\n2006, the Sentinel program had not requested or received approval for\nthe third control gate. According to the Sentinel Program Manager,\nPhase 1 of the Sentinel project is scheduled to pass through Control\nGate 3, the Final Design Review, in late October 2006. Depending\nupon the development model employed, programs or projects may\npass through the control gates more than once. Because Sentinel is\nbeing developed in phases, and the contractor must provide a system\ndesign for each phase, the project will pass through Control Gate 3\nfour times.\n\n\n\n\n       9\n        The life cycle phases are not to be confused with the Sentinel project\xe2\x80\x99s four\ndevelopment phases.\n\n\n                                       - xiii -\n\x0cConclusions\n\n       By establishing stronger IT investment management processes\nand an array of monitoring and control mechanisms, the FBI has\npositioned itself to better manage the Sentinel project and avoid the\nproblems that occurred in the Trilogy and VCF projects. However, FBI\nofficials agree this does not mean that the development of Sentinel is\nrisk-free. While the FBI has corrected or alleviated most of the\nconcerns we raised in our March 2006 audit report on Sentinel, several\nareas warrant attention to avoid potentially serious problems as the\nproject progresses:\n\n      \xe2\x80\xa2   the ability to fully fund the project and, if required, reprogram\n          funds without adversely affecting other FBI mission-critical\n          operations,\n\n      \xe2\x80\xa2   monitoring and adjusting as necessary the estimates of total\n          project costs,\n\n      \xe2\x80\xa2   developing contingency plans for high-risk areas that could\n          affect project costs, schedule, or performance, and\n\n      \xe2\x80\xa2   completely staffing the PMO.\n\n      In future audits, we will continue to monitor Sentinel\xe2\x80\x99s progress\nand whether the project is meeting the cost, schedule, technical, and\nperformance baselines.\n\nOIG Recommendations\n\n      In this second Sentinel audit, we make five recommendations to\nthe FBI to help ensure the success of the Sentinel case management\nsystem and manage project costs. The recommendations are:\n\n      \xe2\x80\xa2   Ensure the management reserve is based on an assessment\n          of project risks for each phase and for the project overall.\n\n      \xe2\x80\xa2   Periodically update the estimate of total project costs as\n          actual cost data is available.\n\n      \xe2\x80\xa2   Complete contingency plans as required by the Sentinel Risk\n          Management Plan.\n\n\n\n\n                                  - xiv -\n\x0c\xe2\x80\xa2   Ensure that the independent verification and validation\n    process is conducted through project completion.\n\n\xe2\x80\xa2   Complete hiring as soon as possible for the vacant PMO\n    positions needed during the current project phase.\n\n\n\n\n                            - xv -\n\x0c                              TABLE OF CONTENTS\n\n\nINTRODUCTION .......................................................................... 1\n     Background ....................................................................... 1\n     Sentinel............................................................................. 4\n     Sentinel\xe2\x80\x99s Phased Approach.................................................. 6\n     Earned Value Management System........................................ 8\n     Prior Reports .................................................................... 10\n\nFINDINGS AND RECOMMENDATIONS ........................................... 14\n     Foundation of the Sentinel Project ....................................... 14\n     Sentinel Contract .............................................................. 14\n     Estimating Sentinel\xe2\x80\x99s Cost .................................................. 15\n     Funding Sentinel............................................................... 26\n     Cost Tracking and Control .................................................. 28\n     Earned Value Management ................................................ 30\n     Risk Management ............................................................. 34\n     Staffing of the Program Management Office .......................... 39\n     Improved Management Processes and Controls ..................... 42\n     Change Management Process ............................................. 48\n     Information Sharing .......................................................... 50\n     Lockheed Martin\xe2\x80\x99s Observations on Sentinel ......................... 53\n     Conclusion ....................................................................... 55\n     Recommendations ............................................................ 57\n\nSTATEMENT ON COMPLIANCE WITH LAWS AND REGULATIONS ....... 58\n\nSTATEMENT ON INTERNAL CONTROLS ......................................... 59\n\nAPPENDIX 1: OBJECTIVES, SCOPE, AND METHODOLOGY ............... 60\n\nAPPENDIX 2: ACRONYMS .......................................................... 61\n\nAPPENDIX 3: PRIOR REPORTS ON THE FBI\xe2\x80\x99S INFORMATION\n            TECHNOLOGY....................................................... 63\n\nAPPENDIX 4: COST ESTIMATING METHODOLOGIES USED IN\n            THE INDEPENDENT GOVERNMENT\n            COST ESTIMATE ................................................... 71\n\nAPPENDIX 5: RISK REGISTER .................................................... 72\n\x0cAPPENDIX 6: THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT DIRECTIVE....... 82\n\nAPPENDIX 7: PMO STAFF POSITIONS AND RESPONSIBILITIES........ 88\n\nAPPENDIX 8: THE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S\n            RESPONSE TO THE DRAFT REPORT ......................... 90\n\nAPPENDIX 9: OFFICE OF THE INSPECTOR GENERAL ANALYSIS\n            AND SUMMARY OF ACTIONS NECESSARY TO\n            CLOSE THE REPORT.............................................. 93\n\x0c                              INTRODUCTION\n\nBackground\n\n       On March 16, 2006, the Federal Bureau of Investigation (FBI)\nannounced that it had awarded a contract to Lockheed Martin Services,\nIncorporated (Lockheed Martin) to develop the Sentinel information\nand investigative case management system in 4 phases. The cost of\nthe four phases of the Lockheed Martin contract was\n$305 million, and the FBI estimated that it would cost an additional\n$120 million to staff the FBI\xe2\x80\x99s Sentinel Program Office, provide\ncontractor support, and establish a management reserve for\ncontingencies, with the total estimated cost of Sentinel at $425 million.\nThe initial schedule for the Lockheed Martin contract calls for all\nphases to be completed in December 2009, or 45 months from the\nstart of work.\n\n      According to the contract, Lockheed Martin can be rewarded for\nmeeting established goals in four areas: project management, cost\nmanagement, schedule, and technical performance. The award fee\ncannot exceed xx percent of the $232.4 million total development\ncosts for Sentinel, or approximately $26 million, and will be allocated\nacross the four areas based on risk. This type of contract and award\nfee structure is common for large government IT projects.\n\n       The Sentinel project, which uses commercial-off-the-shelf\n(COTS) components, is intended to provide the FBI with a web-\nenabled electronic case management system that includes records\nmanagement, workflow management, evidence management, search\nand reporting capabilities, and information sharing capability with\nother law enforcement agencies and the intelligence community.\nAccording to the FBI Director, \xe2\x80\x9cSentinel will strengthen the FBI\xe2\x80\x99s\ncapabilities by replacing its primarily paper-based reporting system\nwith an electronic system designed for information sharing. Sentinel\nwill support our current priorities, including our number one priority:\npreventing terrorist attacks.\xe2\x80\x9d10\n\n      The Sentinel project follows the FBI\xe2\x80\x99s unsuccessful efforts to\ndevelop an automated case management system called the Virtual\n\n      10\n         FBI Press Release entitled FBI Announces Award of Sentinel Contract,\nMarch 16, 2006.\n\n                                      -1-\n\x0cCase File (VCF), which was intended to replace the FBI\xe2\x80\x99s obsolete\nAutomated Case Support (ACS) system. Because of the FBI\xe2\x80\x99s failed\n$170 million VCF project, congressional appropriations and oversight\ncommittees questioned whether the FBI could successfully develop and\nimplement a case management system of Sentinel\xe2\x80\x99s magnitude. Given\nthe importance of the Sentinel project, the congressional\nappropriations committees and the FBI Director asked the Department\nof Justice Office of the Inspector General (OIG) to continually review\nand report on the progress of the FBI\xe2\x80\x99s development of Sentinel.\n\n      This report is the second OIG report on Sentinel, and covers the\nprogress the FBI has made in resolving the concerns identified in our\nMarch 2006 report on the planning for Sentinel, whether the FBI\xe2\x80\x99s\nInformation Technology Investment Management (ITIM) processes and\nproject management are likely to contribute to the successful\nimplementation of Sentinel, and the contract with Lockheed Martin to\ndevelop Sentinel. Over the past few years, the OIG and others have\nreviewed various aspects of the FBI\xe2\x80\x99s information technology (IT)\ninfrastructure and cited a critical need for the FBI to modernize its\ncase management system. In previous reports, the OIG concluded\nthat current FBI systems do not permit agents, analysts, and\nmanagers to readily access and share case-related information\nthroughout the FBI, and without this capability, the FBI cannot\nperform its critical missions as efficiently and effectively as it should.\n\n       In its mission-needs statement for Sentinel, the FBI stated that\nits current case management system must be upgraded to utilize new\ninformation technologies by moving from a primarily paper-based case\nmanagement process to an electronic records system. The FBI noted\nthat this transition would enable agents and analysts to more\neffectively perform their investigative and intelligence duties.\n\n      The FBI\xe2\x80\x99s attempt to move from a paper-based to an electronic\ncase management system began with the Trilogy project in mid-2001.\nThe objectives of Trilogy were to update the FBI\xe2\x80\x99s aging and limited IT\ninfrastructure; provide needed IT applications for FBI agents, analysts,\nand others to efficiently and effectively do their jobs; and lay the\nfoundation for future IT improvements. Trilogy consisted of upgrading\nthe FBI\xe2\x80\x99s: (1) hardware and software; (2) communications network;\nand (3) the five most important investigative applications, including\nthe antiquated ACS. The first two components of Trilogy were\ncompleted in April 2004 at a cost of $337 million, almost $100 million\nmore than originally planned. Among other improvements, the FBI\n\n                                  -2-\n\x0cenhanced its IT infrastructure with new desktop computers for its\nemployees and deployed a wide area network to enhance electronic\ncommunication among FBI offices and with other law enforcement\norganizations. However, despite additional funding the FBI received to\naccelerate completion of Trilogy, these first two phases were not\ncompleted any faster than originally planned.\n\n       In early 2004, after nearly 3 years of development, the FBI\nengaged several external organizations and contractors to evaluate the\nVCF, the third prong of the Trilogy project. Based on critical\ncomments by these organizations, the FBI began to consider\nalternative approaches to developing the VCF, including terminating\nthe project or developing a completely new case management system.\nIn late 2004, the FBI commissioned Aerospace Corporation to perform\na trade study evaluating the functionality of COTS and government off-\nthe-shelf (GOTS) technology to meet the FBI\xe2\x80\x99s case management\nneeds. Aerospace followed this study with an Independent Verification\nand Validation (IV&V) report on VCF, issued in January 2005, which\nrecommended that the FBI pursue a COTS-based, service-oriented\narchitecture.11 The IV&V report concluded that a lack of effective\nengineering discipline led to inadequate specification, design, and\ndevelopment of the VCF.\n\n       In late 2004, the FBI modified its approach to developing the\nVCF by dividing the project into Initial Operational Capability (IOC) and\nFull Operational Capability segments. The IOC segment assessed the\nVCF project and involved a pilot test of the most advanced version of\nVCF in an FBI field office. The Project Management Executive for the\nFBI\xe2\x80\x99s Office of Information Technology Program Management stated\nthat the results of the pilot validated that ending the VCF project was\nthe right decision.\n\n      The FBI issued a final report on the IOC at the end of April\n      12\n2005.   According to the report, the FBI terminated work on the VCF\n\n       11\n          IV&V is a standard ITIM process whereby an independent entity assesses\nthe system as it is developed in order to evaluate if the software will perform as\nintended. A service-oriented architecture is a collection of services that\ncommunicate with each other. The communication can involve a simple data\nexchange or two or more services coordinating on an activity.\n       12\n           Department of Justice, Federal Bureau of Investigation. Federal Bureau of\nInvestigation: Virtual Case File Initial Operational Capability Final Report, version\n1.0, April 29, 2005.\n\n                                        -3-\n\x0cdue to the lack of progress on its development. The FBI stated that it\nwas concerned that the computer code being used to develop the VCF\nlacked a modular structure, thereby making enhancements and\nmaintenance difficult. In addition, the FBI report said that the\n\xe2\x80\x9cmarketplace\xe2\x80\x9d had changed significantly since the VCF development\nhad begun, and appropriate COTS products, which were previously\nunavailable, were now available.\n\n       In his March 2005 testimony before the House Appropriations\nCommittee, the FBI Director said the FBI would apply lessons learned\nfrom the VCF to develop and deploy Sentinel. The FBI has said that of\nthe $170 million VCF project, $104.5 million was lost but that $53.3\nmillion in contractor services and equipment could be used and $12.2\nmillion was unspent.13\n\nSentinel\n\n      Similar to what the FBI had envisioned for the final version of\nthe VCF, Sentinel is intended to not only provide a new electronic case\nmanagement system, transitioning the FBI files from paper-based to\nelectronic records, but also to result in streamlined processes for\nagents to maintain investigative lead and case data.14 In essence, the\nFBI expects Sentinel to be an integrated system supporting the\nprocessing, storage, and management of information to allow the FBI\nto more effectively perform its investigative and intelligence\noperations.\n\n       According to the FBI, the use of Sentinel in the future will\ndepend on the system\xe2\x80\x99s ability to be easily adapted to evolving\ninvestigative and intelligence business requirements over time.\nTherefore, the FBI intends to develop Sentinel using a flexible software\narchitecture that allows economical and efficient changes to software\ncomponents as needed in the future. According to the FBI, a key\nelement of the Sentinel architecture contributing to achieving this\nflexibility will be the use of COTS and GOTS applications software. The\nFBI intends to integrate the off-the-shelf products with an Oracle\n\n\n\n       13\n        The OIG has not verified these figures, including the services and\nequipment the FBI said could be reused.\n       14\n           A lead is a request from any FBI field office or headquarters for assistance\nin the investigation of a case.\n\n                                         -4-\n\x0cdatabase, thereby separating the applications code from the\nunderlying data being managed in order to simplify future upgrades.\n\n      FBI agents are required to document investigative activity and\ninformation obtained during an investigation. The case file is the\ncentral system for holding these records and managing investigative\nresources. As a result, the case file includes documentation from the\ninception of a case to its conclusion. FBI agents and analysts currently\ncreate paper files in performing their work, making the process of\nadding a document to a case file a highly paper-intensive, manual\nprocess. Files for major cases can contain over 100,000 documents,\nleads, and evidence items.\n\n       Currently, the documentation within case files is electronically\nmanaged through the ACS system. The ACS system maintains\nelectronic copies of most documents in the case file, and provides\nreferences to documents that exist in hardcopy only. Upon approval of\na paper document, an electronic copy of the completed document is\nuploaded to the electronic case file of the ACS system. However, ACS\nis a severely outdated system that is cumbersome to use effectively\nand does not facilitate the searching and sharing of information. The\nlimited capabilities of the ACS mean that agents and analysts cannot\neasily acquire and link information across the FBI.\n\n      In contrast, the FBI expects Sentinel to greatly enhance the\nusability of case files for agents and analysts, both in terms of adding\ninformation to case files as well as searching for case information. FBI\nsupervisors, reviewers, and others involved in the approval process\nalso will be able to review, comment, and approve the insertion of\ndocuments into appropriate FBI electronic files through Sentinel.\n\n      In addition to enhancing the investigative capabilities within the\nFBI, Sentinel is intended to serve as the pilot project in the\ndevelopment of the Federal Investigative Case Management System\n(FICMS) framework as part of the federal government\xe2\x80\x99s e-government\ncase management line of business. The FBI was named the lead\nagency for the FICMS initiative, which, according to a June 2005\nmemorandum of understanding (MOU) signed by the FBI, DOJ, and\nthe Department of Homeland Security (DHS) Chief Information Officers\n(CIO), is intended to produce an architectural framework designed to:\n(1) bring federal law enforcement and investigative resources into a\ncommon electronic environment that promotes collaboration and\noptimum deployment of federal resources; and (2) create investigative\n\n                                  -5-\n\x0ccase management solutions that provide state-of-the-art capabilities to\ncollect, share, and analyze information from internal and external\nsources and initiate appropriate enforcement responses. According to\na Senior Policy Advisor to the Department\xe2\x80\x99s CIO, other federal\nagencies can use Sentinel\xe2\x80\x99s core solution for their case management\nsystems because of its standard set of case management tools and\nadaptability. Additionally, according to the FBI CIO, the Office of\nManagement and Budget (OMB) has begun to encourage other\nagencies to become involved with the development of Sentinel and its\ninterfaces in order to ensure future information sharing capability\namong all agencies.\n\nSentinel\xe2\x80\x99s Phased Approach\n\n      The FBI expects to develop the Sentinel project in 4 phases,\neach with an approximately 12- to 16-month timeframe and\noverlapping by 1 to 2 months. For example, Phase 2 is anticipated to\nbegin approximately 2 months before the end of Phase 1. Each phase,\nwhen deployed, will result in a stand-alone set of capabilities that can\nbe added to by subsequent phases to complete the Sentinel project.\nThe following chart shows the phases and general timeframes for\nSentinel, according to the FBI.\n\n\n\n\n                                 -6-\n\x0c                         Conceptual SENTINEL Schedule with\n                                    Capabilities\n\n\n                                           New Electronic Case File                                              Phase 4\n                                              (ECF) Capability\n\n                                          \xc2\x83 Automated Workflow                                      Jan \xe2\x80\x9809                        Dec \xe2\x80\x9809\n                                          \xc2\x83 Document Management\n                                          \xc2\x83 Searching and Reporting                                             New Investigative Case\n                                          \xc2\x83 PKI & Role Based Access                                               Management (ICM)\n               New Portal and             \xc2\x83 Digital Signatures                         Phase 3                        Capability\n                Foundational              \xc2\x83 Records Management\n                Components                \xc2\x83 Interfaces to Legacy ECF                                            \xc2\x83 Collected Items Mgmt\n                                          \xc2\x83 Start Data Migration (New      Apr \xe2\x80\x9808                 Feb \xe2\x80\x9809      \xc2\x83 Document Scanning\n         \xe2\x80\xa2 SENTINEL Portal with           and Open Cases)                              New Universal            \xc2\x83 Interfaces to Legacy ICM\n         access to ACS                    \xc2\x83 UNI Data Cleansing                          Index (UNI)             Systems\n         \xe2\x80\xa2 Case \xe2\x80\x9cWorkbox\xe2\x80\x9d                                                                Capability             \xc2\x83 Migration of ICM Data\n         \xc2\x83 Components of                                                                                        (Closed Cases)\n         Service-Oriented                                                           \xc2\x83 UNI Data Migration        \xc2\x83 Retirement of Legacy\n                                     Feb \xe2\x80\x9807                            May \xe2\x80\x9808\n         Architecture\n                                                Phase 2                             \xc2\x83 Interfaces to Legacy      Systems\n         \xc2\x83 ECF Data Cleansing                                                       UNI Systems\n         (formatting)                                                               \xc2\x83 Enhanced Search\n                                                                                    & Improved Indexing\n                                                                                    \xc2\x83 ICM Data Cleansing\n\n                  Phase 1           Apr \xe2\x80\x9807\n    Mar \xe2\x80\x9806\n\n\n\n\n     Mar \xe2\x80\x9806                    Feb \xe2\x80\x9807                                   Apr \xe2\x80\x9808                     Jan \xe2\x80\x9809                       Dec 2009\n\n\n\n\n   Source: FBI\n\n      Phase 1 will introduce the Sentinel portal, which will provide\naccess to data from the existing ACS system and eventually, through\nincremental changes, support access to a newly created investigative\ncase management system. Phase 1 will also provide a case\nmanagement \xe2\x80\x9cworkbox\xe2\x80\x9d that will present a summary of all cases the\nuser is involved with, rather than requiring the user to perform a\nseries of queries to find the cases as is currently necessary with ACS.\nAdditionally, the FBI will acquire software to identify persons, places,\nor things within the case files for automated indexing to allow the files\nto be searchable by these categories. The FBI will also select the\nhardware and software that will form the foundation of Sentinel\xe2\x80\x99s\nfuture service oriented architecture. Finally, the FBI will prepare the\ndata in the Electronic Case File portion of ACS to be migrated to\nSentinel in Phase 2.\n\n      Phase 2, the most ambitious and difficult of the phases, will\nbegin the transition to paperless case records and the implementation\nof electronic records management. A workflow tool will support the\nflow of electronic documents through the review and approval cycles.\nA new security framework will be implemented to support access\ncontrols and electronic signatures. Additionally, the FBI will begin\n\n\n                                                                   -7-\n\x0cmigrating data from the Electronic Case File to Sentinel and preparing\ndata from the Universal Index to be migrated to Sentinel in Phase 3.\n\n      Phase 3 will replace the Universal Index (UNI), which is used to\ndetermine if any information about a person, place, or thing exists\nwithin the FBI\xe2\x80\x99s current case management system. The UNI is a\ndatabase of persons, places, and things that have relevance to an\ninvestigative case. While the current UNI supports only a limited\nnumber of attributes, Phase 3 will expand the number of attributes\nwithin the information management system.15 Improving the\nattributes will allow more precise and comprehensive searching within\nSentinel and increase the ability to \xe2\x80\x9cconnect the dots.\xe2\x80\x9d\n\n      Phase 4 will implement Sentinel\xe2\x80\x99s new case management and\nreporting capabilities, and will consolidate the various case\nmanagement components into one overall system. Shortly after the\nend of this phase, the legacy systems will be shut down and the\nremaining cases in the legacy Electronic Case File will be migrated to\nthe new case management system. In this phase, as in all the others,\nchanges to the Sentinel portal will be required to accommodate the\nnew features being introduced.\n\nEarned Value Management System\n\n      Earned Value Management (EVM) is a tool that measures the\nperformance of a project by comparing the variance between\nestablished cost, schedule, and performance baselines and what is\nactually taking place. These variances are measured periodically to\ngive project managers a timely perspective on the status of a project.\nEVM then can provide an early warning that a project is heading for\ntrouble. EVM reporting is an important risk-management tool for a\nmajor IT development project such as Sentinel.\n\n       In August 2005, the OMB issued a memorandum requiring all\nfederal agency CIOs to manage and measure all major IT projects\nusing an EVM system. Additionally, all agencies were to develop\npolicies for full implementation of EVM on IT projects by December 31,\n2005. In response to these requirements, the FBI developed a\nSentinel Program EVM Capability Implementation Plan in August 2005\n\n       15\n           An attribute defines a property of an object within a case file. Examples of\nattributes are eye color, height, and nationality when describing an individual or\naddress, floor, and room number when describing a specific location.\n\n                                        -8-\n\x0cand subsequently acquired a tool to implement an EVM system for the\nSentinel project.\n\n      The OMB EVM memorandum also required that Integrated\nBaseline Reviews (IBRs) be performed for any projects that require\nEVM in order to establish performance management baselines against\nwhich a project\xe2\x80\x99s performance can be measured.16 Properly executed,\nIBRs are an essential element of a program manager\xe2\x80\x99s risk-\nmanagement approach. IBRs are intended to provide both the\ngovernment\xe2\x80\x99s and the contractor\xe2\x80\x99s program managers with a mutual\nunderstanding of the project\xe2\x80\x99s performance measurement baseline and\nagreement on a plan of action to resolve the identified risks.\nAccording to OMB guidance on IBRs, the objective of an IBR is to\nconfirm compliance with the following business rules:\n\n      \xe2\x80\xa2    the technical scope of work is complete and consistent with\n           authorizing documents;\n\n      \xe2\x80\xa2    key schedule milestones are identified;\n\n      \xe2\x80\xa2    supporting schedules reflect a logical flow to accomplish the\n           technical work scope;\n\n      \xe2\x80\xa2    resources, including money, facilities, personnel, and skills,\n           are adequate and available for the assigned tasks;\n\n      \xe2\x80\xa2    tasks are planned and can be measured objectively, relative\n           to technical progress;\n\n      \xe2\x80\xa2    underlying performance measurement baseline rationales are\n           reasonable; and\n\n      \xe2\x80\xa2    managers have appropriately implemented required\n           management processes.\n\n\n\n\n      16\n          The performance measurement baseline is a total, time-phased budget\nplan against which program performance is measured.\n\n                                      -9-\n\x0cPrior Reports\n\n      Over the past few years, the OIG and other oversight entities\nhave issued reports examining the FBI\xe2\x80\x99s attempts to update its case\nmanagement system. In these reports the OIG, the Government\nAccountability Office (GAO), the House of Representatives\xe2\x80\x99 Surveys\nand Investigations Staff, and others have made a variety of\nrecommendations focusing on the FBI\xe2\x80\x99s management of the FBI\xe2\x80\x99s\nTrilogy project, particularly the VCF portion of the project, and the\ncontinuing need to replace the outdated ACS system. More recently\nthe OIG has reported on Sentinel, the successor to the VCF project. A\ndiscussion of key points from these reports follows. (A more\ncomprehensive description of the reports appears in Appendix 3.)\n\n      In March 2006, the OIG released the first in a series of audit\nreports that will monitor the FBI\'s development and implementation of\nthe Sentinel project.17 This report discussed the FBI\xe2\x80\x99s pre-acquisition\nplanning for the Sentinel project, including the approach, design, cost,\nfunding sources, time frame, contracting vehicle, and oversight\nstructure. In reviewing the management processes and controls the\nFBI has applied to the pre-acquisition phase of Sentinel, the OIG found\nthat the FBI has developed IT planning processes that, if implemented\nas designed, can help the FBI successfully complete Sentinel.\n\n      In particular, the OIG found that the FBI has made\nimprovements in its ability to plan and manage a major IT project by\nestablishing ITIM processes, developing a more mature Enterprise\nArchitecture, and establishing a Program Management Office (PMO)\ndedicated to the Sentinel project.\n\n       However, at that time the OIG identified several concerns about\nthe FBI\xe2\x80\x99s management of the Sentinel project: (1) the incomplete\nstaffing of the Sentinel PMO, (2) the FBI\xe2\x80\x99s ability to reprogram funds to\ncomplete the second phase of the project without jeopardizing its\nmission-critical operations, (3) Sentinel\xe2\x80\x99s ability to share information\nwith external intelligence and law enforcement agencies and provide a\ncommon framework for other agencies\xe2\x80\x99 case management systems,\n(4) the lack of an established EVM process, (5) the FBI\xe2\x80\x99s ability to\n\n       17\n          Department of Justice, Office of the Inspector General. The Federal Bureau\nof Investigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls Over the Sentinel Case\nManagement System, Audit Report Number 06-14, March 2006.\n\n\n\n                                      - 10 -\n\x0ctrack and control Sentinel\xe2\x80\x99s costs, and (6) the lack of complete\ndocumentation required by the FBI\xe2\x80\x99s information technology\ninvestment management processes.\n\n       In May 2006, the GAO released a report critical of the FBI\xe2\x80\x99s\ncontrols over costs and assets of its Trilogy project.18 The GAO found\nthat the FBI\xe2\x80\x99s review and approval process for Trilogy contractor\ninvoices did not provide an adequate basis for verifying that goods and\nservices billed were actually received and that the amounts billed were\nappropriate, leaving FBI highly vulnerable to payments of unallowable\ncosts. These costs included first-class travel and other excessive\nairfare costs, incorrect charges for overtime hours, and charges for\nwhich the contractors could not document costs incurred. The GAO\nfound about $10 million in unsupported and questionable costs. The\nGAO also found that the FBI failed to establish controls to maintain\naccountability over equipment purchased for the Trilogy project.\nAccording to the GAO, poor property management led to 1,200\nmissing pieces of equipment valued at $7.6 million.\n\n      In February 2005, the OIG reported on the critical need to\nreplace the ACS, finding that without an effective case management\nsystem the FBI remained significantly hampered due to the poor\nfunctionality and lack of information-sharing capabilities of its current\nIT systems.19 The OIG audit report concluded that the difficulties the\nFBI experienced in replacing the ACS were attributable to: (1) poorly\ndefined and slowly evolving design requirements, (2) contracting\nweaknesses, (3) IT investment management weaknesses, (4) lack of\nan Enterprise Architecture, (5) lack of management continuity and\noversight, (6) unrealistic scheduling of tasks, (7) lack of adequate\nproject integration, and (8) inadequate resolution of issues raised in\nreports on Trilogy. The report described concerns with the cost-plus-\naward-fee contract as it was implemented by the FBI for Trilogy\nbecause the contract did not: require specific completion milestones,\ninclude critical decision review points, or provide for penalties if the\nmilestones were not met.\n\n       18\n          U.S. Government Accountability Office. Federal Bureau of Investigation:\nWeak Controls over Trilogy Project Led to Payment of Questionable Contractor Costs\nand Missing Assets, Report Number GAO-06-306, May 2006.\n       19\n          Department of Justice, Office of the Inspector General. The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information Technology\nManagement Project, Audit Report Number 05-07, February 2005.\n\n\n\n                                      - 11 -\n\x0c      In April 2005, the House Appropriation Committee\xe2\x80\x99s Surveys and\nInvestigations staff similarly concluded in its report that:20\n\n      \xe2\x80\xa2    VCF development suffered due to a lack of program\n           management expertise, disciplined systems engineering\n           practices, and contract management. The project also was\n           harmed by a high turnover of CIOs and program managers.\n\n      \xe2\x80\xa2    VCF development was negatively affected by the FBI\xe2\x80\x99s lack of\n           an empowered and centralized CIO office and sound business\n           processes by which IT projects are managed.\n\n      \xe2\x80\xa2    The FBI\xe2\x80\x99s decision to terminate VCF was related to\n           deficiencies in the VCF product delivered, failure of a pilot\n           project to meet user needs, and the new direction the FBI\n           planned to take for its case management system.\n\n      \xe2\x80\xa2    The FBI\xe2\x80\x99s IT program management business structure and\n           processes at the time of the report were, for the most part, in\n           place, although some of these processes needed to mature.\n\n      In September 2004, the GAO reported that although\nimprovements were under way and more were planned, the FBI did\nnot have an integrated plan for modernizing its IT system.21 The GAO\nreported that each of the FBI\xe2\x80\x99s divisions and other organizational units\nthat manage IT projects performed integrated planning for its\nrespective IT projects. However, the plans did not provide a common,\nauthoritative, and integrated view of how IT investments will help\noptimize mission performance, and they did not consistently contain\nthe elements expected to be found in effective systems modernization\nplans. The GAO recommended that the FBI limit its near-term\ninvestments in IT systems until it developed an integrated systems\nand modernization plan and effective policies and procedures for\nsystems acquisition and investment management. Additionally, the\n\n\n      20\n          U.S. Congress, House of Representatives, House Surveys and\nInvestigations. A Report to the Committee on Appropriations, U.S. House of\nRepresentatives, April 2005.\n      21\n         U.S. Government Accountability Office. Information Technology:\nFoundational Steps Being Taken to Make Needed FBI Systems Modernization\nManagement Improvements, Report Number GAO 04-842, September 2004.\n\n\n\n                                      - 12 -\n\x0cGAO recommended that the FBI\xe2\x80\x99s CIO be provided with the\nresponsibility and authority to effectively manage IT FBI-wide.\n\n\n\n\n                                 - 13 -\n\x0c           FINDINGS AND RECOMMENDATIONS\n\nFoundation of the Sentinel Project\n\n     In March 2006, using a Government-Wide Acquisition\n     Contract (GWAC), the FBI awarded Lockheed Martin\n     Services, Incorporated a $57 million task order for Phase 1\n     of Sentinel, with options for $248 million more to complete\n     three additional phases and provide the operations and\n     maintenance of the system. In addition to a cost baseline,\n     the project also has an overall schedule for which specific\n     baselines are being established phase-by-phase. Over\n     about 4 years, Lockheed Martin will be responsible for\n     designing, developing, integrating, testing, deploying,\n     operating, and maintaining Sentinel. In addition to the\n     potential award of $305 million to Lockheed Martin, the\n     FBI expects to spend $120 million for other contractor\n     support and program management, for a total project cost\n     of $425 million.\n\n     Based on our review of Sentinel\xe2\x80\x99s Statement of Work and\n     other documents associated with the contract award, we\n     concluded that the contracting arrangement and scope of\n     work for Sentinel appear reasonable, particularly\n     considering the FBI\xe2\x80\x99s vastly improved ITIM processes and\n     project management capabilities. We also found that the\n     FBI has made good progress toward addressing most of\n     the concerns identified in our March 2006 audit report,\n     although continued action or monitoring is needed on\n     some of the concerns. We have also identified additional\n     concerns in this audit. Among our overall concerns are:\n     (1) project funding, (2) the estimate of total project costs,\n     (3) risk management, and (4) filling PMO vacancies.\n\nSentinel Contract\n\n      The FBI is using a GWAC contracting vehicle, administered by\nthe National Institutes of Health (NIH), to develop Sentinel. Such a\ncontracting vehicle streamlines the acquisition process by allowing\nmultiple government agencies to purchase services under one\ncontract. Instead of awarding a specific contract to a vendor, the\n\n\n                                 - 14 -\n\x0cawarding agency issues a task order to the selected vendor. In the\ncase of Sentinel, the FBI administers the task order itself. In March\n2006, the FBI announced that the four-phase Sentinel project would\ncost an estimated $425 million, with $305 million awarded to Lockheed\nMartin to develop the system by December 2009 and $120 million for\nthe FBI\xe2\x80\x99s program management costs and other contractor support.\n\n      The FBI subsequently awarded Lockheed Martin a $57 million\ntask order for Phase 1 of Sentinel, with options for $248 million more\nfor the three additional phases and the operations and maintenance\n(O&M) of the system developed during the project. In addition to the\ncost baseline, the project has an overall schedule for which specific\nbaselines are being established phase-by-phase. Over about 4 years,\nLockheed Martin will be responsible for designing, developing,\nintegrating, testing, deploying, operating, and maintaining Sentinel \xe2\x80\x93\nwhich will be primarily based on commercial-off-the-shelf software \xe2\x80\x93\nand will provide all the personnel, facilities, equipment, material, and\nsupport necessary to implement Sentinel.\n\n      Lockheed Martin is performing the work under a cost-plus-\naward-fee arrangement, similar to the one used during the Trilogy\nproject.22 However, the FBI is providing much greater control and\noversight for Sentinel compared to the weak management evident in\nthe Trilogy project. The contract is structured to reward excellent\nperformance by Lockheed Martin. If Lockheed Martin meets the\nschedule and cost targets set by the FBI, the FBI can grant Lockheed\nMartin award fees of up to xx percent of the xxxxxxxxxx Sentinel\ndevelopment costs, or up to nearly xxxxxxxxxx. Lockheed Martin\xe2\x80\x99s\nperformance will also determine whether the FBI exercises options to\naward additional phases of the project to Lockheed Martin. If the FBI\nfinds Lockheed Martin\xe2\x80\x99s performance unacceptable at any stage of the\nproject, the FBI can order Lockheed Martin to stop work on the\nproject. If the contractor does not meet its milestones, it will be\npenalized by loss of the award fee.\n\nEstimating Sentinel\xe2\x80\x99s Cost\n\n      The FBI based its $425 million estimate for the total cost of the\nSentinel project on: (1) an independent government cost estimate\nconducted on the FBI\xe2\x80\x99s behalf by Mitretek Systems prior to soliciting\n\n       22\n         The development contract under the GWAC is cost-plus-award-fee.\nHowever, all materials are cost-plus-fixed-fee and travel is cost reimbursable only.\n\n                                       - 15 -\n\x0cbids for Sentinel in April 2005, and (2) the FBI\xe2\x80\x99s assessment of the\ncost estimate contained in Lockheed Martin\xe2\x80\x99s proposal.23 We reviewed\nthe processes used to derive the $425 million estimate, noted\ninconsistencies in the process and the results, and concluded that the\nestimate is a rough approximation of Sentinel\xe2\x80\x99s overall costs. The\nestimate is, in our view, tentative given the variances in the\nsupporting cost estimates and the inherent complexity of estimating\ncosts for a major IT system even before the design is finalized.\nHowever, the FBI\xe2\x80\x99s CIO said he stands by the estimate. Further, we\nidentified several Sentinel-related projects, the costs of which are not\nincluded in the overall Sentinel estimate.\n\nIndependent Government Cost Estimate\n\n       The independent government cost estimate concluded that\nproject costs would range between $329 million and $493 million, with\nthe most likely cost $438 million. According to the Chief of Sentinel\xe2\x80\x99s\nBusiness Management Unit, this estimate is the basis for the $120\nmillion program management portion of the FBI\xe2\x80\x99s total estimate of\n$425 million.\n\n       The independent government cost estimate established a series\nof classifications to describe the work to be accomplished and the\nproducts to be acquired in the development of Sentinel. Six different\ntechniques were used to estimate the cost of the various elements of\nSentinel: parametric modeling, cost estimating relationships, analogy,\nengineering assessment, vendor quote, and historical data.\nAppendix 4 provides detailed definitions of each of these cost\nestimating methods. The cost-estimating method chosen for each\nwork element depended on the availability of technical and cost data.\n\n       We reviewed the estimate and identified several concerns about\nits ability to provide the FBI with a reliable estimate of Sentinel\xe2\x80\x99s costs.\nThe estimate was performed concurrently with development of\nSentinel\xe2\x80\x99s requirements. While Mitretek Systems, the FBI\xe2\x80\x99s estimating\ncontractor, coordinated its efforts with personnel developing Sentinel\xe2\x80\x99s\nrequirements, the estimate might not accurately reflect the project\xe2\x80\x99s\nfinal design specifications, which are not expected to be completed\n\n       23\n           Independent government cost estimates help federal agencies budget for\nprojects, compare contractor proposals, and evaluate the reasonableness of costs in\ncontractor proposals.\n\n\n\n                                      - 16 -\n\x0cuntil about October 2006. Also, the estimate contains several\ninconsistencies. For example, some parts of the cost estimate show\nSentinel\xe2\x80\x99s O&M phase lasting 3 years while other parts show it lasting\n2 years, resulting in a likely O&M cost range of $62 million to\n$87 million. If the additional inconsistencies are factored into the\nsummary cost of the O&M phase, the O&M estimate could be as low as\n$53 million. Finally, the overall cost estimate does not include all of\nthe costs in the Sentinel funding plan. For example, the estimate does\nnot include the management, or risk, reserve or a separate\nIndependent Verification and Validation (IV&V) contract to\nindependently assess Lockheed Martin\xe2\x80\x99s testing of Sentinel\xe2\x80\x99s software,\nwhich currently account for a total of $40 million of the PMO\xe2\x80\x99s $120\nmillion estimate.24\n\nGovernment\xe2\x80\x99s Estimated Most Probable Cost\n\n      The FBI received proposals for the Sentinel project from xxxx\nbidders. When the xxxx proposals were received, the FBI reviewed\nthem to determine whether the cost data within the proposals was\ncomplete, based on clear and accepted methodologies, and accurate.\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxx25 Cost realism analysis results in the\nGovernment Estimate of Most Probable Cost (GEMPC) for the project.\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxx.26 Based on the GEMPC, FBI officials concluded that\nLockheed Martin\xe2\x80\x99s estimate was reasonable xxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n       24\n          A management reserve, also known as a risk reserve, is a budgeted\ncontingency fund used to cover costs not anticipated at the time a project\xe2\x80\x99s cost\nestimate is developed.\n       25\n          The Federal Acquisition Regulation (FAR) requires that cost realism\nanalysis be performed on cost-reimbursement contracts to determine the probable\ncost of performance for each bidder. Cost realism analysis is the process of\nindependently reviewing and evaluating specific elements of each proposed cost\nestimate to determine whether the estimated cost elements are realistic for the work\nperformed, reflect a clear understanding of the requirements, and are consistent with\nthe unique methods of performance and materials described in the bidder\xe2\x80\x99s technical\nproposal.\n       26\n         xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                                       - 17 -\n\x0cxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsxs\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsssssx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxs\nx xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxss\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xxxxxxxxxxxxxxxxxxxxx xxxxssssss\nxxxxxxxxx xxxxxxxxxx xxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n                            - 18 -\n\x0cxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n     xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.27\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Despite these differences,\nthe FBI determined that Lockheed\xe2\x80\x99s proposal was reasonable and did\nnot pose a significant risk. According to FBI officials, the FBI resolved\nthe issues identified in the GEMPC during its negotiations with\nLockheed Martin.\n\n      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxx Due to the variability and inconsistencies of the estimates\nwe reviewed, and the difficulty of forecasting the eventual cost of a\nmajor IT project, we could not confirm the accuracy of estimates, nor\ncould we validate the FBI\xe2\x80\x99s overall estimate of $425 million for\nSentinel.\n\n\n       27\n         Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.\n\n                                       - 19 -\n\x0cSentinel-Related Costs\n\n       We also identified several projects and other costs, which in total\nexceed $25 million, that are related to Sentinel but are not considered\nby the FBI as direct Sentinel costs and are therefore not included in\nthe FBI\xe2\x80\x99s total estimate of $425 million. Examples of these related\ncosts include the National Name Check system, security costs, and FBI\nsalaries. However, as discussed previously, because of the difficulties\nassociated with accurately estimating the total cost of such a large\nproject, we cannot state with certainty whether Sentinel\xe2\x80\x99s costs would\nexceed $425 million, only that the costs would be higher if the costs of\nthe Sentinel-related projects were included.\n\n      The implementation of Sentinel will require changes to the FBI\xe2\x80\x99s\nNational Name Check system. In response to a request from a\nfederal, state, or local agency, the National Name Check Program\nqueries FBI records to determine whether the person named in the\nrequest has been the subject of an FBI investigation or mentioned in\nan FBI investigation. The data system used by the Name Check\nprogram relies very heavily on the ACS system, which Sentinel is\nintended to replace. The estimated cost of updating the existing name\ncheck system to work with Sentinel is over xxxxxxxxxx.\n\n      The FBI is also developing security through its Information\nAccess Technology Initiative (IATI) to support Sentinel and future FBI\nsystems. A portion of the IATI is intended to help the FBI move from\na manual security classification review of documents to a more\nautomated review. The IATI will be developed in concert with Sentinel\nand should be able to integrate with Sentinel and the FBI\xe2\x80\x99s overall IT\nnetwork as well. The purchase of any initial license for a security\nproduct used in conjunction with the IATI would be funded by the\nOffice of the CIO (OCIO). This license will be used for testing and\nevaluation. If approved, Sentinel would later purchase a license for its\nown use of the product. While the software is critical to the security of\nSentinel, the cost of the initial license is not reflected in the FBI\xe2\x80\x99s\nSentinel costs. The FBI is uncertain as to which of the products in\ndevelopment would be used by Sentinel and therefore was unable to\nestimate the specific costs related to Sentinel.\n\n      The salary costs of FBI employees are also not tracked as a\nSentinel expense. These costs include FBI employees assigned to the\nSentinel PMO, the employees who will be developed to train other\nemployees on Sentinel use, ITOD staff assigned to Sentinel,\n\n                                  - 20 -\n\x0cemployees who will attend Sentinel training, and the Finance Division\nauditors who review Sentinel invoices. While the Independent\nGovernment Cost Estimate of $438 million does not include the cost of\nFBI employees in the overall cost of Sentinel, other portions of the\nreport concluded that the cost of FBI employees\xe2\x80\x99 involvement in the\ndevelopment and implementation of Sentinel would be approximately\n$15.8 million.\n\n      The FBI\xe2\x80\x99s position is that the separate projects discussed above\nare independent, enterprise-wide projects that will benefit the FBI\xe2\x80\x99s\noverall IT structure, including Sentinel but also many other FBI\nprojects. The CIO and the Sentinel PMO contend that the costs of such\nindependent projects ought not be considered as Sentinel costs. While\nwe agree that these Sentinel-related projects may not be direct\nSentinel costs, in our view the scope of the Sentinel project would be\nlarger if it was not supported by these other investments. When\ndecision makers are considering the full cost of the Sentinel project,\nthey should keep in mind both the direct project costs as well as the\nadditional related costs.\n\nSpending Plan and Management Reserve\n\n       In the FBI\xe2\x80\x99s spending plan for Sentinel, developed shortly after it\nawarded the contract, the $425 million total project cost estimate\ncovers the four phases of Sentinel plus 2 years of O&M after the\ncompletion of the system. Based on Lockheed Martin\xe2\x80\x99s proposal, the\nFBI plans to pay Lockheed Martin $305 million for the development of\nSentinel and its O&M expenses. The spending plan shows that the FBI\nwill use the remaining $120 million for program management, the\nIV&V of the software, and management reserve. The FBI estimates\nthat Phase x, with a cost of xxxxxxxxxxx over x years, will be the most\nexpensive phase as well as the most challenging. The chart below\nsummarizes the FBI cost estimates by type of expense and project\nphase.\n\n\n\n\n                                  - 21 -\n\x0c                   Sentinel Spending Plan by Phase\n\n\n\n\n                         CHART REDACTED\n\n\n\n\n Source: The FBI\n\n      According to a May 2006 Lockheed Martin plan, material and\nequipment will be the largest cost of Lockheed Martin\xe2\x80\x99s contract to\ndevelop and deploy Sentinel. As shown in the following chart, labor to\ndevelop the system and O&M of the system are the other two major\ncost categories; together, they represent over 50 percent of the value\nof Lockheed Martin\xe2\x80\x99s contract.\n\n\n\n\n                                - 22 -\n\x0c                      Lockheed Martin Spending Plan\n                            By Cost Category\n\n\n\n\n                               CHART REDACTED\n\n\n\n\n       Source: Lockheed Martin Services, Incorporated\n\n       The Sentinel PMO is responsible for ensuring that the Sentinel\nproject is properly executed, including: (1) oversight of the program\xe2\x80\x99s\ncost, schedule and performance, (2) Life Cycle Management Directive\n(LCMD) reviews; (3) award fee evaluations; (4) review and acceptance\nof Lockheed Martin\xe2\x80\x99s documents; (5) requirements and risk\nmanagement; and (6) budget and financial management.28 As shown\nin the following chart, the FBI estimates that the majority of the PMO\xe2\x80\x99s\nexpenses will be for the operation of the PMO itself. The primary\nexpense of the PMO is contractors, which accounts for about\n74 percent of the PMO\xe2\x80\x99s 73 planned positions. The PMO\xe2\x80\x99s budget is\nbased on the requirement that all positions be filled throughout the\nfour phases of development. However, the Chief of the Business\nManagement Unit told us that there is no reason to fill six positions\nuntil the project approaches Phase 2, which begins in early 2007 (PMO\nstaffing is discussed later in this report). Twenty-eight percent of the\nPMO\xe2\x80\x99s $120 million budget is for a management, or risk, reserve. (As\ndiscussed in the EVM section of this report, Lockheed Martin also has a\nmanagement reserve for Phase 1.) The management reserve is an\n\n       28\n           The LCMD, which is a set of policies applicable to all FBI IT programs and\nprojects, contains a framework for standardized, repeatable, and sustainable\nprocesses for developing IT systems. The LCMD covers the entire IT system life\ncycle, including planning, acquisition, development, testing, and operations and\nmaintenance. See Appendix 6 for a detailed description of the LCMD.\n\n\n\n                                        - 23 -\n\x0cOMB-required contingency fund used to cover the costs not known at\nthe time a project\xe2\x80\x99s cost estimate is developed. Depending on the\nconfidence level the agency has in a project\xe2\x80\x99s cost estimate, the OMB\ncalls for management reserve of 10 to 30 percent.\n\n              Project Management Office Spending Plan\n                         By Cost Category\n\n\n\n\n                          5%\n            28%\n                                                         Program Management\n                                                         Risk Management\n                                                         IV&V\n                                           67%\n\n\n\n\n       Source: OIG Analysis of FBI data\n\n       According to the Sentinel Program Manager, Sentinel\xe2\x80\x99s\nmanagement reserve should be 11 percent of the estimated $232.4\nmillion development cost of the project, or about $25.6 million. The\nPMO determined the percentage of the management reserve based on\na review of the known risks and the System Requirements\nSpecification.29 We found that the total Sentinel management reserve\nof $34.1 million is about 15 percent of the development cost of the\nproject. As shown in the following chart, the FBI\xe2\x80\x99s management\nreserve varies by program phase from 11 percent of the development\ncost for Phase 2 to 32 percent for Phase 4.\n\n\n\n\n       29\n          A System Requirements Specification defines a system\xe2\x80\x99s technical\nrequirements in quantifiable and verifiable terms and the methods to be used to\nensure that each requirement has been met.\n\n\n\n                                      - 24 -\n\x0c                 Management Reserve as a Percentage of\n                   Development Cost by Project Phase\n\n\n\n\n                               CHART REDACTED\n\n\n\n\n           Source: OIG Analysis of FBI data\n\n       The Sentinel Program Manager said he did not advocate a\nmanagement reserve greater than 11 percent of development, and he\nexpects the Phase 1 management reserve to be reduced from 15\npercent to 11 percent.30 The FBI\xe2\x80\x99s Deputy Assistant Director of\nFinance agreed that an 11 percent management reserve was sufficient\nfor Phase 1. However, he said the Finance Division had not\ntransferred the excess management reserve to another account\nbecause there was no current operational need for the money. Both\nthe Chief of the Sentinel PMO\xe2\x80\x99s Business Management Unit and the\nDeputy Assistant Director of Finance said that the amount of the\nmanagement reserve for each phase was determined based on\npreliminary estimates of Sentinel\xe2\x80\x99s cost and had not been adjusted to\nreflect the FBI\xe2\x80\x99s contract with Lockheed Martin. The FBI\xe2\x80\x99s current\nspending plan for Sentinel overstates the total anticipated cost of the\nproject by $8.6 million, the difference between a management reserve\nof 15 percent of development costs and the 11 percent. However, FBI\nofficials told us that over the course of the project, the management\nreserve will be adjusted to 11 percent of Sentinel\xe2\x80\x99s development cost.\n\n\n      30\n       The FBI\xe2\x80\x99s Finance Division, not the Sentinel PMO, controls the\nmanagement reserve.\n\n\n\n                                       - 25 -\n\x0cFunding Sentinel\n\n       Our March 2006 report stated that according to an FBI official\nthe OMB required the FBI to identify the funding for each phase of\nSentinel before work on that phase could begin. As a result, on\nSeptember 27, 2005, the FBI submitted a $97 million reprogramming\nrequest to Congress for the first phase of Sentinel. Congress approved\nthe request on November 15, 2005. According to the PMO\xe2\x80\x99s most\nrecent cost estimates, Phase 1 will cost $108.5 million and require\nfunds over four fiscal years (FY) starting in FY 2006. However, Phase\n1 will only require $93.4 million in FY 2006 and 2007 funds, potentially\nmaking $3.6 million of the $97 million in reprogrammed funds\navailable to help fund Phase 2.\n\n       The President\xe2\x80\x99s FY 2007 budget request includes $100 million for\nPhase 2 of the Sentinel project. However, whether the FBI will receive\nthe full requested amount is uncertain because the FY 2007\nappropriation has not been finalized by Congress. xxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx. If the FBI receives the full\n$100 million requested in the FY 2007 budget, the FBI would need to\nidentify an additional xxxxxxxxxxxxxx to meet Sentinel\xe2\x80\x99s FY 2007\nfunding requirements. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxx However, the FBI\xe2\x80\x99s CIO recently told us that an FY 2007\nappropriation of less than $100 million would be cause for concern and\ncould result in an unanticipated level of reprogramming of FBI\nresources to fund the Sentinel project.\n\n      The FBI plans to seek additional appropriations to fund the third\nand fourth phases of Sentinel. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\n\n\n                                 - 26 -\n\x0cxxxxxxxxxxx The table below shows the spending plan for Sentinel by\nfiscal year over the life of the project.\n\n              Sentinel Spending Plan (Millions of Dollars)\n\n\n\n\n                          CHART REDACTED\n\n\n\n\nSource: FBI\n\n       In our first report on Sentinel, we noted that more than\n$14 million of the FBI\xe2\x80\x99s $97 million November 2005 reprogramming\nwould come from the Counterterrorism Division budget, $13 million\nfrom intelligence-related activities, and $2 million from the Cyber\nDivision. During our first audit, most FBI divisions and offices seemed\nconfident about their ability to absorb the initial reprogramming of\nfunds to Sentinel for Phase 1. However, the officials stated that a\nsecond reprogramming of the same magnitude would damage their\nability to fulfill their mission.\n\n       During this audit, we also interviewed officials at FBI\nheadquarters to assess the impact of the $97 million reprogramming\nand any future reprogrammings for Sentinel. Generally, these officials\nconfirmed that their divisions and offices can withstand the diversion\nof funds to Sentinel for the first reprogramming and that the\nsuccessful implementation of a modern case management system\nwould offset the operational impact of the reprogramming. These\nofficials also said they had not received notice of the need for or\namount of any future reprogrammings and therefore could not assess\nits potential impact. In our judgment, any reprogramming significantly\nabove $50 million will require the FBI to carefully consider which\nprograms and activities will be affected and how to monitor the overall\nimpact on the FBI\xe2\x80\x99s mission.\n\n\n                                 - 27 -\n\x0cCost Tracking and Control\n\n       For the Trilogy project, the FBI lacked an effective, reliable\nsystem to track and validate the contractors\xe2\x80\x99 costs. We highlighted\nthis concern in our February 2005 report on Trilogy and stated our\ncontinuing concern in our March 2006 report on Sentinel. Also, in its\nFebruary 2006 report the GAO stated that the FBI\xe2\x80\x99s poor cost controls\nresulted in the payment of about $10 million in questionable contractor\ncosts, and poor property management led to missing equipment\nvalued at $7.6 million.\n\n      The FBI has now established several layers of control to help\nensure that costs are authorized in advance, verified when delivered,\nand validated when invoiced. The overlapping responsibilities for\noversight of Sentinel\xe2\x80\x99s costs include: the FBI\xe2\x80\x99s Finance Division \xe2\x80\x93\nwhich performs accounting, auditing, and budget monitoring; the\nOffice of the Chief Information Officer\xe2\x80\x99s (OCIO) IT Financial\nManagement Unit \xe2\x80\x93 which tracks Sentinel\xe2\x80\x99s costs in detail; and the\nSentinel PMO\xe2\x80\x99s Program Integration Unit \xe2\x80\x93 which tracks program and\ndevelopment costs and has developed policies and procedures for\nprocessing invoices, requisitioning and procuring equipment, reviewing\ncontractor time charges, and resolving discrepancies. The Sentinel\nPMO\xe2\x80\x99s Business Management Unit has also implemented a \xe2\x80\x9cchange\nmanagement process\xe2\x80\x9d to help prevent \xe2\x80\x9crequirements creep\xe2\x80\x9d that can\nincrease project costs or schedule delays. The tracking systems and\ncontrols the FBI has implemented provide greater assurance that the\nFBI will be better able to monitor and control project costs for Sentinel\nthan was the case under Trilogy.\n\nOversight and Control\n\n       The Finance Division\xe2\x80\x99s Audit Unit has dedicated two of its six\nauditors to work part time on Sentinel. According to Finance Division\nstaff, auditors periodically review a sample of invoices for Sentinel\ngoods and services to verify that applicable procedures are being\nfollowed. The Audit Unit produces a monthly audit report, which is\ndistributed to the Contracting Officer\xe2\x80\x99s Technical Representative\n(COTR), the Finance Division, and FBI management, including the\nDeputy Director.\n\n      The Finance Division tracks Sentinel spending through the FBI\xe2\x80\x99s\nFinancial Management System (FMS). The FMS uses four categories \xe2\x80\x93\ndevelopment contract, O&M, program management, and risk\n\n                                 - 28 -\n\x0cmanagement \xe2\x80\x93 to track Sentinel costs. In addition, the Chief Financial\nOfficer (CFO) has established a separate, dedicated cost code for\nSentinel that allows the Sentinel PMO, OCIO, and CFO teams to jointly\ntrack and control Sentinel costs through the Budget Execution and\nAnalysis Reporting System (BEARS), a database used to track budget\ninformation within the OCIO. BEARS tracks Sentinel equipment\npurchases and other expenditures by project phase based on 20\nspecific spending plans. BEARS extracts purchase order information\nfrom the FMS and generates reports on funds requested, amounts\napproved, and obligations that have not yet entered the FMS. BEARS\ndata is used for the FBI\xe2\x80\x99s EVM analyses, discussed below.\n\n      Requisitions require the approval of the Sentinel PMO, Business\nManagement Unit Chief, the COTR, and the Office of IT Program\nManagement\xe2\x80\x99s Program Management Executive. The PMO budget\nanalyst and the IT Financial Management Unit verify availability of\nfunds according to the spending plans. The Office of IT Policy and\nPlanning validates and approves the requisition requirements, and the\nIT Financial Management Unit enters the requisition information into\nBEARS.\n\n        The IT Financial Management Unit only tracks funds that have\nbeen entered into the Sentinel spending plans in BEARS. It loses\nvisibility over Sentinel funds any time funds are transferred from\nSentinel to another FBI program. For example, the Sentinel PMO had\nto pay for its portion of the FBI\xe2\x80\x99s wireless service that supports its\nhandheld e-mail devices. The IT Financial Management Unit\ntransferred funds from the Sentinel account to the appropriate\naccount. Once this transfer occurred, the Unit no longer had the\ncapability through BEARS to determine whether the money was\nactually spent for the use intended. The IT Financial Management Unit\nhas not devised a practical alternative method to track Sentinel costs\nnot entered into the BEARS database managed by the unit.\n\nInvoice Processing Overview\n\n       We reviewed Sentinel\xe2\x80\x99s requisitioning and invoice processing\nprocedures and found that they appeared reasonable. The contractor\nsubmits invoices to the COTR for review. The COTR verifies the\ninvoices with the Sentinel Unit Chiefs, such as the chief of the System\nDevelopment Unit, to ensure that the billed work has been performed,\nis within the scope of work, and is funded. The COTR returns any\n\n\n                                 - 29 -\n\x0cincorrect invoices to the vendor with comments detailing the\ndiscrepancies or the additional information required.\n\n      The Chief of Sentinel\xe2\x80\x99s Business Management Unit records and\ntracks invoices against purchase orders; analyzes actual expenditures\nagainst planned spending by month; prepares regular reports for the\nCOTR, Unit Chiefs, and the Program Manager regarding the availability\nof funds; notifies the COTR and Program Manager of any deviation\ngreater than 5 percent from planned expenditures; revises spending\nplans at least quarterly; and coordinates invoices with EVM estimates.\n\n      The Program Manager or Deputy Program Manager reviews final\ninvoices after the reviews by the COTR and unit chiefs, and is\nresponsible for approving invoices for payment. The Contracting\nOfficer then gives final approval and forwards the invoice to the FBI\xe2\x80\x99s\nCommercial Payments Unit for payment.\n\n      Based on our review, the Sentinel\xe2\x80\x99s policies and procedures for\nprocessing invoices, requisitioning and procuring equipment, reviewing\ncontractor time card, and handling deviations in bills of materials\nshould help prevent the FBI from incurring and paying for\nunauthorized services and materials.\n\nEarned Value Management\n\n      Our March 2006 report on Sentinel pointed out the need for the\nFBI to establish an EVM process for Sentinel, which it has since done.\nEVM helps manage project risks by achieving reliable cost estimates,\nevaluating progress, and allowing the analysis of project cost and\nschedule performance trends. EVM compares the current status of a\nproject, in terms of both cost and schedule, to the established cost and\nschedule baselines. Deviations between the baselines and the current\nstatus demonstrate the project\xe2\x80\x99s progress and the overall level of\nperformance, thereby enabling a level of accountability to be imposed\non the project. When properly utilized, EVM allows project\nmanagement to pinpoint potential problems and address them before\nthey escalate. Based on our review of early EVM reporting from April\nto August 2006, we identified no immediate concerns with Sentinel\xe2\x80\x99s\ncost or schedule in the first phase of the project, although Lockheed\nMartin was still grappling with some estimating errors that may have a\nfuture impact on the EVM results.\n\n\n\n                                 - 30 -\n\x0c       According to the FBI\xe2\x80\x99s EVM plan, the Sentinel PMO will use the\nplan to measure its and the contractor\xe2\x80\x99s earned value performance and\nreport the result to oversight entities. The Sentinel project\xe2\x80\x99s\nStatement of Work requires vendors and contractors to fully\nimplement EVM in accordance with the plan, including having an EVM\nsystem of its own that complies with American National Standards\nInstitute (ANSI)/Electronic Industries Association (EIA) Standard\n748-A.31 This allows the FBI to gather EVM data on the development\nportion of the project from Lockheed Martin through monthly electronic\ndata transfers from Lockheed Martin. The Sentinel PMO collects EVM\ndata for the PMO portion of the Sentinel from invoices from support\nservices contractors and BEARS, an FBI reporting system discussed\npreviously.\n\n      The Statement of Work also included the requirement that the\nvendor perform an Integrated Baseline Review (IBR), where the cost\nand schedule baselines would be established for the project. Properly\nexecuted, IBRs are an essential element of a Program Manager\'s risk-\nmanagement approach. IBRs are intended to provide both the\ngovernment\xe2\x80\x99s and the contractor\xe2\x80\x99s program managers with a mutual\nunderstanding of the project\xe2\x80\x99s performance measurement baseline and\nagreement on a plan of action to resolve any identified risks.\n\n       The Sentinel IBR started on schedule, but took somewhat longer\nthan scheduled to complete. According to the report documenting the\nresults of the IBR, the FBI and Lockheed Martin achieved the\nobjectives of the IBR, and the Project Management Baseline was set\nfor Phase 1. The IBR set the baseline budget at XXXXXXXXXX, not\nincluding the xxxxxxxxxxxx (about x percent of the baseline budget)\nmanagement reserve established for Lockheed Martin at the IBR.\nIncluding the management reserve, the baseline budget is $2.9 million\nless than the $57.2 million contracted for Phase 1. Lockheed Martin\xe2\x80\x99s\nmanagement reserve, which was established with the FBI\xe2\x80\x99s\nagreement, is intended to provide Lockheed Martin with the flexibility\nto respond to any cost estimating errors it may have made and still\nstay within the contracted amount. The Sentinel Statement of Work\nalso required that Lockheed Martin submit its EVM system to the\n\n       31\n            ANSI/EIA Standard 748-A is the criteria selected by the OMB for EVM\nsystems. The standard includes 32 specific criteria in five process areas necessary\nfor a sufficient EVM system: (1) organization; (2) planning, scheduling and\nbudgeting; (3) accounting; (4) analysis and management reports; and (5) revisions\nand data maintenance.\n\n                                      - 31 -\n\x0ccontracting officer for review. In June 2006, the PMO\xe2\x80\x99s EVM analyst\nreviewed Lockheed Martin\xe2\x80\x99s EVM system and determined that the\nsystem complies with ANSI/EIA Standard 748, and the FBI\xe2\x80\x99s\ncontracting officer concurred.\n\n      At the time of our audit, the FBI had begun using \xe2\x80\x9cWinsight\xe2\x80\x9d\nsoftware to maintain and report Sentinel\xe2\x80\x99s EVM performance metrics.\nSentinel\xe2\x80\x99s EVM analyst prepares three EVM reports each month: one\nanalyzing the whole program\xe2\x80\x99s EVM data, one analyzing Lockheed\nMartin\xe2\x80\x99s EVM data, and one analyzing the PMO\xe2\x80\x99s EVM data.\n\n      We reviewed the EVM reports for April to August 2006. The\nAugust 2006 EVM reports show that since the schedule and costs of\nLockheed Martin\xe2\x80\x99s work were determined, the actual cost of work\nperformed by Lockheed Martin exceeded the planned cost. During\nJune, July, and August, the Lockheed Martin portion of the program\nwas xxx percent, xxx percent, and xxx percent over budget\nrespectively.\n\n       According to the June report, Lockheed Martin made an\nestimating error in the EVM baseline approved at the IBR. xxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxx However, according to the EVM report, Lockheed Martin\nofficials said another estimating error should offset the excess costs\naccrued in June. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxx.\n\n       However, if Lockheed Martin continues to accrue costs at the\nrate it did in June, the EVM report projects that Lockheed Martin\xe2\x80\x99s cost\nfor Phase 1 will be about xxxxxxxxxxxx, or approximately xxxxxxxxx\nmore than the baseline budget of $xxxxxxxxxxxx (excluding Lockheed\nMartin\xe2\x80\x99s xxxxxxxxxxxx management reserve). Still, the projected cost\nis less than the $57.2 million contracted amount for Phase 1 of\nSentinel. The report concluded that Lockheed Martin\xe2\x80\x99s EVM data is not\nlikely to show \xe2\x80\x9ca rapid and large improvement,\xe2\x80\x9d xxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxx\n\n\n                                 - 32 -\n\x0c      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\nxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx FBI officials\nrecently told us that Lockheed Martin has developed a plan showing\nhow the variance in xxxxxxxxxxxxxx will not have a negative impact\non the cost of Phase 1.\n\n      The July 2006 EVM report also showed that the actual costs\nincurred by the PMO were about $1.1 million less than planned at this\nstage of the project. The EVM report attributes the spending variation\nprimarily to vacancies in the PMO. The report concluded that the\nvariance should not prevent the program from meeting its schedule or\nperformance goals and recommended that PMO management continue\nto focus on filling the PMO\xe2\x80\x99s vacancies (see discussion of PMO\nvacancies later in this report). As a result of joint Lockheed Martin-FBI\ndecision to delay some purchases, Lockheed Martin did not receive\nhardware and software on the dates envisioned by the baseline\nschedule, causing the July EVM report on Lockheed Martin\xe2\x80\x99s activities\nto show it being behind schedule by 10.1 percent.\n\n       The OMB requires agencies to report to it EVM variances greater\nthan 10 percent, including what corrective actions the agency will take\nto remedy the variances. While the development of Sentinel depends\nheavily on Lockheed Martin\xe2\x80\x99s performance, the Lockheed Martin EVM\ndata is only part of the Sentinel EVM data. In July, the net schedule\nvariance for the Sentinel program as a whole \xe2\x80\x93 the basis for whether it\nis required to report variances to the OMB \xe2\x80\x93 was 8.1 percent. Sentinel\nis on the OMB government-wide list of high-risk IT projects, meaning\nthat Sentinel is a high-priority project, not that it is a troubled project.\nFBI officials said that because Sentinel is on the high-risk list, the FBI\nprovides the OMB with monthly EVM data on the PMO\xe2\x80\x99s performance\nand Lockheed Martin\xe2\x80\x99s performance, regardless of whether or not there\nare any significant variances.\n\n      In our judgment, reporting from June to August 2006 shows that\nSentinel\xe2\x80\x99s EVM system is functioning as intended and providing FBI\nmanagers with warnings of issues that may affect Sentinel\xe2\x80\x99s cost or\nschedule, including Lockheed Martin\xe2\x80\x99s estimating errors and vacancies\nin the PMO. We also believe it was prudent for the FBI to allow\n\n                                  - 33 -\n\x0cLockheed Martin to establish a management reserve to compensate for\nestimating errors. While we identified no significant immediate\nconcerns, we are concerned about the future implications of the cost\nvariances experienced by Lockheed Martin, especially the higher-than-\nexpected labor rates. We will continue to monitor Sentinel\xe2\x80\x99s EVM\nreporting to identify any concerns affecting the project baselines.\n\nRisk Management\n\n      The FBI has instituted a risk management process to identify and\nmitigate the risks associated with the Sentinel project. The risk\nprocess is managed by the Sentinel Project Manager and a Risk Review\nBoard, which meets biweekly. The most significant risks identified by\nthe board are examined at monthly Program Management Review\nsessions and other Sentinel oversight meetings in accordance with the\nFBI\xe2\x80\x99s LCMD.32\n\n       The purpose of risk management is to assist the program\nmanagement team in identifying, assessing, categorizing, monitoring,\ncontrolling, and mitigating risks before they negatively affect a\nprogram. A risk management plan identifies the procedures used to\nmanage risk throughout the life of the program. In addition to\ndocumenting the risk approach, the plan focuses on how the risk\nprocess is to be implemented; the roles and responsibilities of the\nprogram manager, program team, and development contractors for\nmanaging risk; how risks are to be tracked throughout the program\nlife cycle; and how mitigation and contingency plans are implemented.\n\n       Program risks include risks that are identified and managed by\nthe development contractor as well as risks that can only be identified\nand managed by the FBI. This requires that risk management be\nperformed by the vendor and subcontractors to identify risks from the\ncontractor perspective, and by the FBI program management team to\nidentify risks from the FBI\xe2\x80\x99s perspective. According the Sentinel\nProgram Manager, PMO personnel attend and participate in Lockheed\nMartin\xe2\x80\x99s risk management meetings. These weekly meetings are the\n\n\n       32\n           In addition to the risk management processes cited above, the following\nreceive briefings that include information about Sentinel risks: the FBI Director\n(weekly); a review team with senior representatives from the Department of Justice,\nOMB, and Director of National Intelligence (monthly); the FBI CIO\xe2\x80\x99s Advisory Council\n(bi-monthly); the FBI Director\xe2\x80\x99s Advisory Board (as requested); and congressional\noversight committees (quarterly).\n\n                                      - 34 -\n\x0cprimary reason that the Sentinel Risk Review Board continues to meet\nbiweekly rather than weekly, as planned in the pre-acquisition phase.\n\n       According to the Sentinel Risk Management Plan, risks are to be\nidentified, assessed, and tracked throughout the life of the project.\nWhen a proposed risk is brought before the Risk Review Board, the\nboard\xe2\x80\x99s voting members decide whether or not to accept the risk as an\n\xe2\x80\x9copen\xe2\x80\x9d risk and, if accepted, vote on the severity the risk will have on\nthe project\xe2\x80\x99s cost, schedule, and performance and the probability the\nrisk will occur. Risks brought before the Risk Review Board are\ndocumented in a risk register, which includes the following:\n\n          \xe2\x80\xa2    description of the risk,\n          \xe2\x80\xa2    impact on the program should the risk occur,\n          \xe2\x80\xa2    phase of Sentinel affected by the risk,\n          \xe2\x80\xa2    person responsible for managing the risk,\n          \xe2\x80\xa2    OMB risk category,\n          \xe2\x80\xa2    severity of the risk as voted by the Risk Review Board,\n          \xe2\x80\xa2    probability the risk will occur as voted by the Risk Review\n               Board,\n          \xe2\x80\xa2    strategy to mitigate the risk,\n          \xe2\x80\xa2    risk status,\n          \xe2\x80\xa2    contingency trigger, and\n          \xe2\x80\xa2    contingency plan\n\n       The risk register lists open risks in rank order based on the risks\xe2\x80\x99\nprobability and severity ratings. The PMO is responsible for tracking\nand periodically reviewing risks that are closed or resolved to prevent\nrecurrence and to document the effectiveness and any unintended\nconsequences of the mitigation strategy employed. Generally,\nSentinel\xe2\x80\x99s mitigation strategy has been to develop a series of actions\nthat will decrease the probability a risk will occur or the severity of a\nrisk\xe2\x80\x99s impact on Sentinel.\n\n     As of August 2006, the FBI had identified, and was managing, 20\nopen risks to the Sentinel program, including the five top-ranked risks:\n\n      \xe2\x80\xa2       new model for data access and control (access rules) may\n              impact project schedule and budget;\n\n      \xe2\x80\xa2       user requirements may change significantly as a result of the\n              business process reengineering initiative and impact\n              Sentinel\xe2\x80\x99s schedule and budget;\n\n                                      - 35 -\n\x0c      \xe2\x80\xa2   absent an authoritative source of identity attributes, Sentinel\n          must internally develop identity attributes for Role Based\n          Access Control, and impact on FBI Enterprise Directory\n          Service requirements is unknown;\n\n      \xe2\x80\xa2   development contractor hiring is lagging in providing the\n          resources needed to complete design work; and\n\n      \xe2\x80\xa2   lack of attendance or participation by users in training.\n\n       The severity of 9 of the 20 risks was classified as high, meaning\nthat if the risks occurred they would have a major impact on Sentinel\xe2\x80\x99s\nschedule, cost, or performance. One risk was classified as having a\nhigh probability of occurring. However, no high-impact risk was\njudged to have a high probability of occurrence. Many of these risks\naddressed subjects raised in our interviews of FBI personnel working\non Sentinel, including successfully migrating data from ACS to\nSentinel.\n\n      We view the FBI\xe2\x80\x99s ability to successfully migrate data from the\nantiquated ACS system to Sentinel as a potentially significant\nchallenge. If the migration were to fail or be seriously delayed, the\nFBI would need to try maintaining its legacy ACS system with all of its\nflaws. An inability to migrate the ACS data would also result in a\nSentinel system that builds its data from the present day forward,\nwithout the benefit of years of investigative data compiled in the old\nsystem. Further, should ACS cease to be maintainable, that data\ncould effectively be lost. The Sentinel Program Manager told us that\nthe task of \xe2\x80\x9ccleaning\xe2\x80\x9d and reconciling the ACS data for migration into\nSentinel is not technically difficult, and the FBI plans to use an\navailable COTS software tool for that purpose. However, he pointed\nout that it will take a significant amount of work to accomplish. He\nalso said that as a preventative measure intended to eliminate any\ndelays in the overall project due to data cleansing, the FBI plans to\ncleanse data in the phase preceding the phase in which the data will\nbe transferred to Sentinel.\n\n       Another potential risk in our opinion is the extent to which\nSentinel will actually use commercial-off-the-shelf software modules as\nintended. A high degree of customization of the software could result\nin increased costs and schedule delays. The Sentinel Program\nManager told us that the components for Sentinel are all off-the-shelf\nand little or no customization is anticipated. However, the key task\n\n                                  - 36 -\n\x0cwill be configuring Sentinel\xe2\x80\x99s various applications \xe2\x80\x93 such as the\nworkflow, document management, searching and reporting, and\nelectronic signatures \xe2\x80\x93 to all work together. The Program Manager\nnoted that Lockheed Martin has successfully configured similar\nsystems in other major projects, using some of the same software\nmodules, including one at the Social Security Administration.\n\n      The August 2006 risk register also included 43 closed risks.\nMost of these risks had been closed for the following four reasons: the\ntime for the risk to occur had passed; all the steps in the mitigation\nstrategy had been completed; the risk was divided into multiple risks;\nor the risk was consolidated with another risk.\n\n      Our review of the risk register showed that the majority of the\n20 open risks are most likely to affect the first two phases of the\nSentinel project. As shown in the following chart, the Risk Review\nBoard classified 15 of the 20 (75 percent) risks as having a potential\nimpact on Phases 1 and 2.33 Of the 6 risks identified as having a\npotential impact on Phase 1, all but 2 were ranked within the top 10\nhighest priority risks. Appendix 5 lists the 20 risks in order of priority\nas well as the phase of Sentinel they could affect.\n\n                       Open Risks by Sentinel Phase\n\n\n\n                          Phase 4\n                             2\n                                              Phase 1\n                     Phase 3                     6\n                        2                                               Phase 1\n                                                                        Phase 2\n                                                                        Phase 3\n                                                                        Phase 4\n\n                           Phase 2\n                              9\n\n\n\n       Source: OIG analysis of FBI data\n\n\n\n       33\n           One risk was not assigned a phase in the risk register; as a result, the\nchart includes a total of 19 risks rather than 20.\n\n                                        - 37 -\n\x0c      The register also includes a statement describing the impact\neach risk would have on the project should it go unmitigated. We\nreviewed these statements and found that the consequences of the\nrisks may affect the following aspects of Sentinel: the project\xe2\x80\x99s cost\nand the need for additional funds, the scope of the work to be\nperformed and the project\xe2\x80\x99s requirements, the project\xe2\x80\x99s schedule, the\nsystem\xe2\x80\x99s functionality, and user acceptance of the system. As shown\nin the following chart, schedule, requirements or scope, and cost or\nfunding are the most frequent consequence of the risks the FBI is\ncurrently managing.\n\n                         Consequences of the Risks Currently\n                         Being Managed by the Sentinel PMO\n\n\n   12\n\n\n\n   10\n\n\n\n\n    8\n\n\n\n\n    6\n\n\n\n\n    4\n\n\n\n\n    2\n\n\n\n\n    0\n         Functionality       Schedule   User Acceptance   Requirements/Scope   Cost/Funding\n\nSource: OIG analysis of FBI data\n\n       According to the FBI\xe2\x80\x99s risk management plan, the Sentinel PMO\nshould develop a \xe2\x80\x9ccontingency trigger\xe2\x80\x9d and a contingency plan for each\nrisk it is managing that has a probability or severity rated as medium\nor higher by the Risk Review Board. A contingency trigger is an event\nthat would convert a risk into an operational issue and cause the FBI\nto implement a risk\xe2\x80\x99s contingency plan. However, we found that the\nrisk register includes a contingency trigger and contingency plan for\n\n\n\n                                            - 38 -\n\x0conly 3 of the 18 risks required to have a contingency plan.34 In\naddition, only one of the five highest-ranked risks had a contingency\ntrigger or plan. The Sentinel Program Manager told us that in some\ncases it is difficult to develop a contingency plan before the FBI\xe2\x80\x99s\npreventive actions mitigate the likelihood or severity of the risk.\nInstead, he said the PMO is focusing on taking action to prevent risks\nfrom occurring and reducing the impact risks could have on the\nprogram. He also told us that many risks are temporary and as a\nproject phase progresses the risk may become moot, at which point it\nis closed. If a risk occurs, the PMO said the FBI will develop corrective\nactions. We believe there should be a contingency plan developed for\neach major risk having the potential to result in a significant cost,\nschedule, or performance deviation from the project baselines.\n\nStaffing of the Program Management Office\n\n      Due to the importance of the PMO in project oversight, our\nprevious Sentinel audit raised concerns about the progress in staffing\nthe Sentinel PMO. The PMO plays a critical role in assuring that the\nFBI implements a case management system that meets its needs. The\nPMO\xe2\x80\x99s contract and program execution responsibilities include:\n(1) cost, schedule, and performance oversight; (2) LCMD project\nreviews; (3) award fee evaluations; (4) primary contractor\xe2\x80\x99s\ndocumentation review and acceptance; (5) requirements and risk\nmanagement; and (6) budget and financial management. In light of\nthese responsibilities, having a qualified, dedicated PMO staff focused\non program execution is critical to the success of the Sentinel project.\n\n      Since our March 2006 audit: the planned size of the PMO has\ndecreased from 76 positions to 73 positions primarily because of less\noverlap in the project phases than initially anticipated; the PMO has\nreallocated positions among PMO units; and the PMO has filled 14\nadditional positions.35 As of October, 2006, the PMO consisted of 65 of\nthe 73 personnel identified in the FBI\xe2\x80\x99s Sentinel Staffing Plan (89\npercent) as required to properly oversee the project. According to the\nFBI, the objective in staffing the PMO is to form an integrated team of\nsubject matter experts from government, federally funded research\nand development centers, and system engineers and technical\n\n       34\n          The remaining two risks did not have probability or severity ratings, so we\ncould not determine whether they required contingency plans.\n       35\n          Three hires are in the process of coming on board.\n\n\n\n                                       - 39 -\n\x0cassistance contractors to maximize program expertise.36 The following\ntable summarizes the PMO\xe2\x80\x99s staffing level as of October 18, 2006, and\nshows the progress the FBI has made in staffing the office since\nJanuary 2006.\n\n             SENTINEL PMO STAFFING REQUIREMENTS\n\n                                                     Staff on          Staff on\n                                  Planned             Board,            Board\nOrganizational Units\n                                  Staff (a)          January           October\n                                                       2006            2006 (b)\nProgram Leadership                     2                 2                  2\nDirect Reporting Staff                 8                 6                  8\nOrganization Change\n                                       4                 2                  3\nManagement Team\nBusiness Management                   14                 9                 13\nProgram Integration                   10                 10                10\nSystem Development                    25                 21                25\nTransition                             5                 1                  4\nOperations &\n                                       5                 0                  0\nMaintenance\n Total                                73                51                 65\nSource: The FBI\n\nNotes: (a) Since January 2006, the Sentinel PMO has revised the total planned staff\n           from 76 to 73. Also, the plan does not include individuals who are on\n           temporary duty assignment to the project.\n\n       (b) The number of staff on board includes three positions for which the FBI\n           has selected candidates and is in the process of hiring.\n\nFor a more complete description of PMO staff and their duties, see\nAppendix 7.\n\n      The Sentinel Program Manager told us he did not intend to fill all\nof the PMO\xe2\x80\x99s eight vacancies immediately because six positions are not\n\n      36\n           Federally funded research and development centers are nonprofit\norganizations sponsored and funded by the U.S. government to assist government\nagencies with scientific research and analysis, systems development, and systems\nacquisition.\n\n                                      - 40 -\n\x0cneeded until the project approaches Phase 2, which begins in early\n2007. We agree that not filling positions until required is prudent.\nHowever, recruitment efforts need to be timed so that the six positions\nare filled when needed, allowing time for processing the new hires,\nincluding conducting background investigations. The FBI plans to\nbegin recruiting for the Phase 2 positions by the end of October 2006.\nMoreover, even if some hiring is delayed, two current vacancies exist.\nOf the current vacancies, one is a government position \xe2\x80\x94 an\nintelligence analyst \xe2\x80\x93 and one is a contractor position \xe2\x80\x93 a planner. The\nChief of the Business Management Unit said that government positions\nwere the most difficult to fill because of the FBI\xe2\x80\x99s hiring and\nbackground investigation processes. However, he said the steps the\nPMO had taken steps to expedite hiring, including interviewing\napplicants who had applied to an open FBI-wide job announcement for\ncomputer scientists, had been successful.\n\n      The Sentinel Program Manager said that he has gained more\ninsight into the personnel requirements of the PMO and that these\ninsights led him to decrease the number of planned staff by three and\nreallocate the planned staff among the PMO\xe2\x80\x99s units. He said he made\nthe most significant reduction, the elimination of four positions from\nthe Transition Unit, because the current schedule has phases of the\nproject overlapping less than originally anticipated. The following table\nshows the changes in the number of planned staff from January 2006\nto October 2006.\n\n\n\n\n                                 - 41 -\n\x0c        Changes in Sentinel PMO Staffing Requirements,\n                January 2006 to October 2006\n\n                                             Change in\n               Organizational Unit            Planned\n                                                Staff\n               Organization Change\n                                                  -1\n               Management Team\n               Business Management                -2\n               System Development                +2\n               Transition                         -4\n               Operations &\n                                                 +2\n               Maintenance\n                Total                             -3\n             Source: The FBI\n\nIn our opinion, the significant turnover of project management during\nthe Trilogy project \xe2\x80\x93 15 different key IT managers over the course of\nits life, including 10 individuals serving as project managers for various\naspects of Trilogy \xe2\x80\x93 was a major reason for Trilogy\xe2\x80\x99s problems. As of\nAugust 2006, three staff from the Sentinel PMO (five percent) had left\nthe PMO since the project\xe2\x80\x99s inception in March 2005. While the PMO\nhas replaced all three staff, we will continue to monitor turnover of\nSentinel PMO staff in future audits.\n\nImproved Management Processes and Controls\n\n       In the early stages of the Trilogy project, the OIG and GAO\nrecommended that the FBI establish Information Technology\nInvestment Management (ITIM) processes to guide the development\nof its IT projects. In response, the FBI issued its Life Cycle\nManagement Directive (LCMD) in 2004 after Trilogy was well\nunderway. The LCMD established policies and guidance applicable to\nall FBI IT programs and projects, including Sentinel. As we reported in\nour March 2006 report on Sentinel, we believe the structure and\ncontrols imposed by the LCMD can help prevent many of the problems\nencountered in the VCF effort. Since our March 2006 report on\nSentinel, the FBI has further refined its LCMD and is applying the\nrevised directive to Sentinel.\n\n\n\n                                  - 42 -\n\x0c      The LCMD covers the entire IT system life cycle, including\nplanning, acquisition, development, testing, and operations and\nmaintenance. As a result, the LCMD provides the framework for\nstandardized, repeatable, and sustainable processes and best practices\nin developing IT systems. Application of the IT systems life cycle\nwithin the LCMD can also enhance guidance for IT programs and\nprojects, leverage technology, build institutional knowledge, and\nensure that development is based on industry and government best\npractices.\n\n      The LCMD is comprised of four integrated components: life cycle\nphases, control gates, project level reviews, and key support\nprocesses. A diagram showing how these components relate to each\nother and a description of the life cycle phases, control gates, and\nproject level reviews is found in Appendix 6.\n\nLCMD Phases and Control Gates\n\n      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects. During\nthese phases, specific requirements must be met for the project to\nobtain the necessary FBI management approvals to proceed to the\nnext phase. The approvals occur through seven control gates, where\nmanagement boards meet to discuss and approve or disapprove a\nproject\xe2\x80\x99s progression to future phases of development,\nimplementation, or retirement. As of August 2006, the Sentinel\nproject had passed through the first four life cycle phases and is\ncurrently in the fifth phase \xe2\x80\x93 Design.\n\n\n\n\n                                - 43 -\n\x0c                          FBI LCMD PHASES\n\n   PHASE NAME                                DESCRIPTION\n\n1. Concept Exploration     Identifies the mission need, develops and\n                           evaluates alternate solutions, and develops the\n                           business plan.\n\n2. Requirements            Defines the operational, technical and test\n   Development             requirements, and initiates project planning.\n\n3. Acquisition Planning    Allocates the requirements among the\n                           development segments, researches and applies\n                           lessons learned from previous projects, identifies\n                           potential product and service providers, and\n                           identifies funding.\n\n4. Source Selection        Solicits and evaluates proposals and selects the\n                           product and service providers.\n\n5. Design                  Creates detailed designs for system components,\n                           products, and interfaces; establishes testing\n                           procedures for a system\xe2\x80\x99s individual components\n                           and products and for the testing of the entire\n                           system once completed.\n\n6. Development and         Produces and tests all system components,\n   Test                    assembles and tests all products, and plans for\n                           system testing.\n\n7. Implementation and      Executes functional, interface, system, and\n   Integration             integration testing; provides user training; and\n                           accepts and transitions the product to operations.\n\n8. Operations and          Maintains and supports the product, and manages\n   Maintenance             and implements necessary modifications.\n\n9. Disposal                Shuts down the system operations and arranges\n                           for the orderly disposition of system assets\n\n\n       The seven control gate reviews provide management control and\ndirection, decision-making, coordination, confirmation of successful\nperformance of activities, and determination of a system\xe2\x80\x99s readiness to\n\n\n                                 - 44 -\n\x0cproceed to the next life cycle phase. Decisions made at each control\ngate review dictate the next step for the IT program or project and\nmay include: allowing an IT program or project to proceed to the next\nsegment or phase, directing rework before proceeding to the next\nsegment or phase, or terminating the IT program or project. The FBI\xe2\x80\x99s\nInvestment Management Project Review Board (IMPRB) \xe2\x80\x93 comprised of\n12 representatives from each FBI division at the Assistant Director\nlevel and 4 representatives from the Office of the Chief Information\nOffice, including the CIO \xe2\x80\x93 is responsible for approving an IT project\xe2\x80\x99s\npassing through each control gate.\n\n       At the time of our previous Sentinel audit, the Sentinel project\nhad received approval for the first two of the LCMD control gates: the\nSystem Concept on July 15, 2005, and the Acquisition Plan on July 29,\n2005. As of August 2006, the Sentinel program had not requested or\nreceived approval for the third control gate. According to the Sentinel\nprogram manager, Phase 1 of Sentinel is scheduled to pass through\nControl Gate 3, Final Design Review, in late October 2006. Depending\nupon the development model employed, programs or projects may\npass through the control gates more than once. Because Sentinel is\nbeing developed in phases, and the contractor must provide a system\ndesign for each phase, the project will pass through Control Gate 3\nfour times.\n\n      At each control gate, executive-level reviews determine system\nreadiness to proceed to the next phase of the IT systems life cycle.\nEvidence of readiness is presented and discussed at each control gate\nreview in the form of deliverables, checklists, and documented\ndecisions. Regardless of the development model used for a particular\nprogram or project, all control gate reviews should be performed\nunless an agreement is made to skip or combine them. The control\ngate reviews also provide executive-level controls to ensure that IT\nprojects are adequately supported and reviewed before a project\nreceives additional funding. Appendix 6 lists the five executive-level\nreview boards that serve as the decision authority for the control gate\nreviews.\n\n      The Gate 2 approval for Sentinel in July 2005 signified that the\nIMPRB accepted the overall project approach and cost estimate for\nacquiring the Sentinel system. Our previous audit showed that the FBI\ngenerally complied with the requirements of the then-current LCMD in\nperforming the control gate reviews for Sentinel. However, two\ndocuments had not been completed at the time the control gate review\n\n                                 - 45 -\n\x0cwas conducted: (1) the system security plan could not be developed\nat that time because the vendor needed to provide the project design\ndetails and, as of the date of the control gate review, the vendor had\nnot been selected; and (2) the Independent Verification and Validation\n(IV&V) plan, to be implemented by a separate contractor to\nindependently assess the implementation of the system according to\ntechnical and performance baselines, required a separate contract.\n\n      In August 2006, the Department awarded eight IV&V contracts\nfor use throughout the FBI and parts of the Department of Justice. In\nSeptember 2006, the FBI awarded a task order to Booz Allen Hamilton\nunder one of those contracts for the IV&V of Phase 1 of Sentinel, with\noptions for the remaining phases.37 According to the FBI, the\nindependent contractor will monitor Lockheed Martin\xe2\x80\x99s testing of the\nsystem software to ensure the software performs as intended. As an\ninterim measure prior to the award of the FBI-wide IV&V contract, the\nFBI used one of the contractors supporting the PMO, Keane, Inc., to\nprovide those services pending the availability of the independent\ncontractors. To minimize any conflict of interest with its FBI PMO\nresponsibilities, Keane\xe2\x80\x99s activities have been limited to examining\nLockheed Martin\xe2\x80\x99s performance and not the FBI\xe2\x80\x99s. We believe Keane is\nproviding a useful service in helping the FBI monitor Lockheed Martin\xe2\x80\x99s\nperformance to date. However, the FBI and its oversight bodies need\nthe assurance of a fully implemented IV&V process throughout the\ndevelopment of Sentinel. We believe this process should begin as\nsoon as possible, and we intend to review the scope and results of the\nIV&V in our upcoming Sentinel audits.\n\n      The system security plan will provide the detail necessary for the\ncompletion of the critical certification and accreditation of the\napplications being created for Sentinel. Unless certification and\naccreditation is accomplished, Sentinel will not be allowed to operate\ndue to security risks. According to FBI officials, it was not feasible to\ndevelop Sentinel\xe2\x80\x99s system security plan prior to Sentinel\xe2\x80\x99s final design,\nbecause the security plan is dependent on the design. However, as of\nAugust 2006, Lockheed Martin and the FBI had largely agreed on the\ndesign for Phase 1 of the Sentinel project, and Lockheed Martin\nprovided the FBI with a draft of the system security plan for that\nphase. The Sentinel Program Manager said the plan should be\n\n       37\n          At the time our audit, all of the specific IV&V activities for Sentinel had not\nbeen determined. However, IV&V may include oversight of program management\nprocesses and assessments related to the development contractor\xe2\x80\x99s performance.\n\n                                         - 46 -\n\x0ccompleted by October 2006 when Lockheed Martin and the FBI are\nscheduled to finalize the design of Phase 1.\n\n      The plans for IV&V and system security are, in our opinion,\ncrucial to ensuring the success of the Sentinel project. We will monitor\nthe implementation of both plans in our subsequent audit work.\n\nProject-Level Reviews\n\n       Project-level reviews help determine a project\xe2\x80\x99s readiness to\nproceed to the next phase of the project life cycle. Each project-level\nreview provides information to the executive-level control gates as\ndata is developed and milestones are completed. Appendix 6 includes\na list of the project-level reviews called for in the LCMD from the\nbeginning of the Concept Exploration Phase to the end of the Design\nPhase.\n\n       In the Sentinel Program Management Plan, approved in August\n2005, the FBI stated its intention to combine the Design Concept\nReview and Preliminary Design Review into a single review as part of\nthe project\xe2\x80\x99s LCMD tailoring approach. The LCMD provides for the\ntailoring of its requirements to meet a specific project\xe2\x80\x99s needs,\nallowing a project to combine, streamline or eliminate events, and\nmodify reports, documents, or deliverables. All tailoring decisions\nmust be reviewed and approved at the Acquisition Plan Review Control\nGate before finalizing them as part of the Program Management Plan.\nA review of the minutes from the Acquisition Plan Review indicates\nthat the IMPRB was briefed on Sentinel\xe2\x80\x99s LCMD tailoring approach.\n\n     To date, the FBI has conducted the Mission Needs Review,\nSystem Specification Review, Source Selection Acquisition Review,\nContract Implementation Review, Requirements Clarification Review,\ncombined Design Concept/Preliminary Design Review, and Critical\nDesign Review. The FBI planned to conduct the Final Design Review in\nOctober 2006.\n\n       Based on our review of meeting minutes and documentation\nresulting from these reviews, it appears that the FBI is adhering to\nLCMD requirements in conducting these reviews and is following the\nschedule for producing the requisite deliverables established in the\nProgram Management Plan.\n\n\n\n                                 - 47 -\n\x0cDepartment Investment Review Board\n\n       In addition to the FBI\xe2\x80\x99s management reviews, Sentinel has also\nbeen required to make periodic presentations to the Department\nInvestment Review Board (DIRB). As part of the Department\xe2\x80\x99s IT\ninvestment management process, the Department Investment Review\nBoard oversees 10 to 15 of the Department\xe2\x80\x99s IT investments with the\ngreatest strategic and financial value. Periodic presentations to the\nBoard, which includes the Deputy Attorney General and the\nDepartment\xe2\x80\x99s CIO, should demonstrate adequate financial and risk\nmanagement, alignment with the Department\xe2\x80\x99s mission, and a\nsufficient return on investment. Each time Sentinel has appeared\nbefore the DIRB, the DIRB has approved the continued development of\nSentinel. The Office of Management and Budget provides additional\nmonitoring of Sentinel. For example, Sentinel is on the OMB\ngovernment-wide list of high-risk IT projects, meaning that Sentinel is\na high-priority project, not that it is a troubled project. Were the\nSentinel project to encounter serious problems, it could be placed on\nthe OMB watch list.\n\nChange Management Process\n\n      The FBI has implemented a change management process to aid\nin controlling changes in Sentinel\xe2\x80\x99s requirements that could result in\ncost growth, schedule delays, or performance problems. As shown in\nthe following flowchart, the FBI evaluates the potential effect of each\nrequest for change (RFC) on project baselines. Changes that affect\nthe cost or schedule must be approved by the System Configuration\nand Change Management Board and senior FBI management, up to\nand including the Deputy Director. According to FBI officials, the FBI\nDirector has made it clear that the FBI\xe2\x80\x99s requirements should not\nnecessitate the customization of the commercial software being used\nin Sentinel. If the FBI\xe2\x80\x99s business processes conflict with the\ncapabilities of the software, the FBI is committed to changing its\nprocesses rather than the software. We reviewed five of the six RFCs\nand found they were approved in accordance with the FBI\xe2\x80\x99s\nprocedures.38\n\n\n\n\n      38\n           One RFC was approved after we completed audit fieldwork.\n\n                                      - 48 -\n\x0cSource: The FBI\xe2\x80\x99s Sentinel Configuration Management Plan\n\n\n\n                                 - 49 -\n\x0c       However, while the FBI has established a reasonable system for\nlimiting changes to the system\xe2\x80\x99s requirements, the Sentinel PMO does\nnot control all events that could affect Sentinel\xe2\x80\x99s requirements. For\nexample, the Sentinel PMO does not control the FBI\xe2\x80\x99s legacy systems\nor policy changes affecting the FBI. The FBI continues to improve\nseveral IT systems that will either interface with Sentinel or be\nsubsumed by Sentinel. These upgrades could add to the scope of\nSentinel\xe2\x80\x99s requirements by making more difficult the required\ninterfaces. For example, the FBI continues to improve Guardian, an\nincident tracking system that Sentinel is expected to replace.\nAccording to Sentinel\xe2\x80\x99s risk register, changes to Guardian may lead to\nchanges in Sentinel\xe2\x80\x99s functional or interface requirements, causing\ndelays or cost increases. Also, changes in the FBI\xe2\x80\x99s policies governing\naccess to FBI computer systems could affect Sentinel\xe2\x80\x99s requirements.\n\nInformation Sharing\n\n       Executive Order 13356 requires that federal agencies design\ninformation systems with priority given to the interchange of terrorism\ninformation among agencies and between agencies and appropriate\nauthorities of state, local, and tribal governments. According to FBI\nofficials, the FBI will build Sentinel to share information based on the\nNational Information Exchange Model (NIEM), a joint project of the\nDepartments of Justice and Homeland Security.39 The NIEM also has\nthe support of the Director of National Intelligence. When finalized,\nthe model will essentially become the new government-wide law\nenforcement and intelligence agency standard and will serve as the\nvehicle for future information exchange. However, because the NIEM\nstandards have not been finalized, the FBI has not modified Sentinel\xe2\x80\x99s\ninformation sharing requirements to meet the draft NIEM standards\ncurrently available. FBI officials said that Sentinel will be modified to\nmeet final NIEM standards.\n\n\n\n\n       39\n          The Sentinel statement of work, which was developed prior to the release\nof the draft National Information Exchange Model, requires Sentinel to be built to the\nGlobal Justice XML Model.\n\n\n\n                                       - 50 -\n\x0cThe National Information Exchange Model\n\n       Agencies are not able to exchange information if they maintain\nlegacy systems that were not designed for information exchange. The\nNIEM information sharing standard, which FBI officials said should be\nfinalized in January 2007, is intended to create a national enterprise-\nwide framework to facilitate information sharing across all levels of\ngovernment by developing common information exchange standards.\n\n        Previously, many agencies shared information with other\nagencies on a strict \xe2\x80\x9cneed-to-know\xe2\x80\x9d basis and therefore provided little\nor no access to their systems. In addition, many agencies maintained\ndatabases with applications residing on networks that could not\ncommunicate with other agencies\xe2\x80\x99 networks. As a result of the\nSeptember 11, 2001, terrorist attacks, information sharing became a\nhigh priority. Agencies found that they did not have enough time or\nresources to modify their systems fast enough to allow for real time\ninformation exchange. In an attempt to remedy the immediate\nproblem, agencies built \xe2\x80\x9cbridges\xe2\x80\x9d to facilitate information exchange,\nsuch as Law Enforcement Information Exchange (LInX) and the\nRegional Data Exchange (R-DEx).40 R-DEx permits data to be\naccessed from another computer system and, based on security\nclearance and the need to know the information, the requester is\npermitted access to information up to the security level deemed\nnecessary. Standards had to be developed so that information is\ncharacterized the same way, no matter what agency originates it, to\nfacilitate the information exchange. NIEM is the effort to standardize\nthe data.\n\n\n\n\n       40\n          The LInX initiative is a project designed to enhance information sharing\nbetween local, state, and federal law enforcement by providing participating law\nenforcement agencies with secure access to regional crime and incident data,\nenabling investigators to search across jurisdictional boundaries to help solve crimes\nand resolve suspicious events. R-DEx gives state, local, and tribal law enforcement\naccess to federal investigative and intelligence information. R-DEx provides\ndetectives, investigators, and analysts the ability to view the linkage across multiple\ncases and their jurisdictions. These links include individuals, vehicles, weapons,\naddresses, phone numbers or other types of links. It also allows cases to be plotted\non maps in order to identify geographical patterns or links.\n\n\n\n                                        - 51 -\n\x0cInteragency Coordination on Sentinel\n\n      We interviewed representatives from the Drug Enforcement\nAdministration (DEA), the Bureau of Alcohol, Tobacco, Firearms and\nExplosives (ATF), and the Department of Homeland Security (DHS) to\ndetermine the extent of each agency\xe2\x80\x99s involvement with Sentinel and\nthe need to retrofit their case management systems to communicate\nwith Sentinel.\n\n      According to the DEA, two staff members participated in Sentinel\ncoordination meetings and used these meetings to identify changes to\nSentinel that would require the DEA to retrofit its case management\nsystem, Impact. The DEA is also involved with the development and\nusage of the NIEM information sharing standard.\n\n       The ATF told us it has had limited involvement with Sentinel.\nThe ATF has a representative on the DIRB as a non-voting member\nand has another staff member who serves as the liaison with the FBI\nfor Sentinel. The ATF is trying to avoid investing large amounts of\nmoney in its case management system until after Sentinel is\ndeveloped because the ATF representative believes that modifications\nwill be needed to its case management system, N-Force. The ATF\nrepresentative said that if the FBI builds a generic system that other\nagencies can use, it will be good for everyone; if not, it will not be very\nhelpful to the ATF. In response, FBI officials said Sentinel will be a\nflexible system that other agencies can configure to meet their needs.\n\n      According to a DHS official, a DHS representative will participate\nwith the FBI on the FBI Change Control Board. The DHS\nrepresentative stated that during the early stages of the Sentinel\nproject, the DHS provided four of its employees and two contractors to\nsupport the Sentinel PMO in the areas of case management, system\nanalysis, biometrics, immigration enforcement, strategic planning, and\ntechnical architecture. Similar to concerns expressed by the ATF, the\nDHS hopes Sentinel will not be too FBI-specific so that it will be usable\nby other agencies. The DHS is developing its own case management\nsystem, the Consolidated Enforcement Environment, and expects to\nuse some of the knowledge and reusable components from Sentinel to\nreduce the costs of DHS\xe2\x80\x99s own case management system.\n\n\n\n\n                                  - 52 -\n\x0cLockheed Martin\xe2\x80\x99s Observations on Sentinel\n\n       During our audit, we met with Lockheed Martin\xe2\x80\x99s project\nmanager for Sentinel to obtain his perspective on how the project is\nprogressing. The project manager stated that he is confident the\nproject would meet its targeted budget and schedule, but that there\nwere project risks that need ongoing attention. In his opinion, user\nacceptance and utilization was the most significant risk to the project.\nHe explained that this risk is being addressed in several ways during\nthe implementation of Sentinel. First, a prototype of the Phase 1\nproducts were provided to agents in three field offices to obtain input\non what should be added, removed, or changed. Similar assessments\nwould be made in the future phases of Sentinel. Second,\norganizational change management strategies were being\nimplemented within the FBI so that the transition from current\nworkflows and IT systems used by agents and analysts to the new\nSentinel workflow and systems would be facilitated. For example,\nSentinel users will be trained as the system is brought online. This\nwould allow users to immediately utilize the training on how to operate\nthe system. System trainers will remain after the system is brought\nonline in order to assist any users requiring further training or help.\nFinally, the project manager said that Lockheed Martin is taking steps\nto ensure that all of the significant workflows that will be affected by\nSentinel will be addressed in planning the system. This will ensure\nthat users will readily use the system to perform their day-to-day\nactivities.\n\n       While the project manager viewed user acceptance and\nutilization as a significant risk, and Lockheed Martin is taking steps to\nensure that the processes that need to be included within Sentinel are\ncovered, we believe other risks are more significant, as discussed\nearlier in this report. In our view, because Sentinel will be the only\nFBI case file system and employees will have to use the system in\norder to perform their jobs, we do not believe user acceptance and\nutilization is a significant concern. However, a related risk, that all of\nthe processes used by the FBI are included within the functionality of\nSentinel, is a greater concern. We believe that the steps being taken\nby the FBI and Lockheed Martin should ensure that all of the necessary\nworkflow processes are included within Sentinel. In future audits we\nwill monitor whether agents and analysts are finding the new Sentinel\napplications to be user-friendly and include all of the required\nfunctionality necessary to perform their jobs.\n\n\n                                  - 53 -\n\x0c      Other risks the Lockheed Martin project manager identified\ninclude the control over system requirements, the migration of data\nfrom the antiquated ACS system to Sentinel, and the connectivity of all\nof the field offices to the Sentinel databases. He noted that the FBI is\npaying particular attention to the requirements of the system and\nmaking efforts to eliminate \xe2\x80\x9crequirements creep.\xe2\x80\x9d The project\nmanager pointed out that to date the FBI has only made six requests\nfor change. Of those requests, one involved a security item that\nLockheed Martin was implementing differently than the FBI\nanticipated. Lockheed Martin agreed to change the way the security\nissue was implemented and funded the changes through its\nmanagement reserve. Four of the requests for change amounted to\nissues that were implemented at no cost and did not affect the project\nschedule. Lockheed Martin is considering the sixth request, which\ndeals with the project\xe2\x80\x99s cost classification system.\n\n      The project manager told us that Lockheed Martin and the FBI\nare dealing with the risks involved in migrating ACS data to Sentinel.\nHe explained that a software tool had been purchased to take the data\nfrom the ACS and \xe2\x80\x9ccleanse\xe2\x80\x9d it by determining the attributes of the\ndata, placing the data into defined categories, and then placing the\ndata into the correct locations in Sentinel. The significant risks of this\nprocess include the creation of rules to properly categorize the data\nwithin ACS and place it in Sentinel, and also what occurs when data is\nnot properly cleansed. To address this risk, the software has been\ntested using sample case files. However, according to the project\nmanager, until actual case file information is used, it will not be known\nhow many of the case files will not be able to be cleansed and\nuploaded into Sentinel. For those case files that cannot be cleansed, a\nreview board of Lockheed Martin and FBI personnel has been\nestablished to manually review the data and determine where it should\nbe placed within the Sentinel system. Because no one knows how\nmany case files will not be able to be cleansed, the time required to\ncleanse or review all of the ACS case file data cannot be estimated. As\ndiscussed earlier in this report, we consider the migration of data from\nACS into Sentinel as a significant risk that could affect both the cost\nand schedule of bringing Sentinel fully online.\n\n      The last risk the Lockheed Martin project manager cited was that\nof the FBI\xe2\x80\x99s IT infrastructure being able to adequately handle the\nsignal traffic over its networks. With the creation of a true electronic\ncase file system that will be used by about 15,000 agents and\nanalysts on a continuing basis, a substantial network is required so\n\n                                  - 54 -\n\x0cthat the information can be passed quickly within the system.\nAccording to the project manager, Lockheed Martin is not responsible\nwithin the Sentinel contract to ensure that the FBI\xe2\x80\x99s entire network\noperates efficiently. Instead, Lockheed Martin is responsible for\nbuilding the hardware and software portions of Sentinel that will be\nlocated at two sites, one as the primary site and the second as a\nbackup site. The FBI is responsible for networking the system. We\nagree with Lockheed Martin that the connectivity of Sentinel is a major\nconcern, and we will be following up on this concern in future audit\nwork.\n\n      The project manager said that from his perspective Lockheed\nMartin and the FBI are working well together. Specifically, there has\nbeen significant interaction between the two groups in management\nmeetings, including the risk boards that have been established both by\nthe FBI and by Lockheed Martin. Working groups have also been\nestablished between the two organizations where Lockheed Martin\xe2\x80\x99s\nteams responsible for drafting products are working with FBI staff\nresponsible for reviewing the products, thereby providing clear\ncommunications on what is expected for each product. Overall, the\nproject manager believed that the FBI is performing well its role as a\ngood customer in providing direct feedback and maintaining the\noriginal requirements for the Sentinel project.\n\n       Regarding the Sentinel budget, the project manager stated that\nLockheed Martin\xe2\x80\x99s costs possibly could be held to under the\n$305 million contract amount because of two changes in the\nimplementation of the project. First, since the time of Lockheed\nMartin\xe2\x80\x99s proposal for the project, new hardware to house database files\nhas come on the market that will lessen the cost of some aspects of\nthe project. Second, the FBI reduced the requirement for the number\nof trainers needed by performing the training at fewer locations. The\ntraining plan originally called for about 120 trainers, but now requires\nonly about 50 over the 6 to 7 weeks of implementation in the field for\nPhase 1.\n\nConclusion\n\n      By establishing stronger ITIM processes and an array of\nmonitoring and control mechanisms, the FBI has positioned itself to\nbetter manage the Sentinel project and avoid the problems that\noccurred in the Trilogy and VCF projects. However, FBI officials\nagreed this does not mean that Sentinel is risk free. While the FBI has\n\n                                 - 55 -\n\x0ccorrected or alleviated many of the concerns we raised in our March\n2006 report, several areas warrant continued attention to avoid\npotentially serious problems as the project progresses.\n\n       As a result of management improvements and the FBI\xe2\x80\x99s\nstructuring of Sentinel into four phases, Sentinel poses much less risk\nto the FBI than the failed VCF project. Management improvements\nthat reduce the risks include rigorous reviews and control gates\nrequired by the FBI\xe2\x80\x99s LCMD; new procedures to track and control\ncosts; the use of an EVM system to detect deviations from cost,\nschedule, or performance baselines; a change management control\nprocess; and a risk management process. Risks are also minimized by\nthe way the FBI structured the Sentinel program, such as the use of\noff-the-shelf components, conducting the project in a phased approach\nwith specific deliverables, and the establishment of firm baselines and\ndesign requirements for each project phase. Further, the FBI will\nadopt the new information sharing standards required by the\nDepartment, has made progress toward completing and implementing\nplans for system security and the IV&V of the system, and has added\nstaff to the Sentinel PMO.\n\n      However, some of the concerns from our March 2006 report\nremain. These concerns include: (1) uncertainty over the funding for\nthe project and the effect on the FBI\xe2\x80\x99s operations should an\nunexpected level of reprogramming of FBI funds be required to\ncontinue Sentinel, and (2) the need to fill remaining vacancies in the\nSentinel PMO to ensure proper FBI oversight of the project. In\naddition, our current review identified concerns over: (1) the\nuncertainty of total project cost estimates, and (2) the need for\ncontingency plans for the risks the PMO is currently monitoring.\nBecause the FBI has, in our judgment, only a tentative estimate of\nproject costs, we believe the FBI needs to periodically update its cost\nestimate for the Sentinel project based on actual cost experience and\ninform Congress and the Department of any revisions to its estimate.\nWe also believe the FBI should establish contingency plans for risks\nthat could seriously affect the cost, schedule, or performance of the\nSentinel project.\n\n      We believe the FBI\xe2\x80\x99s approach to the Sentinel project and the\nprocesses and controls it has developed, if implemented and followed,\nprovide reasonable assurance that Sentinel can be developed and\ndeployed successfully. However, there are serious project risks such\nas the ability to configure all of Sentinel\xe2\x80\x99s components into a seamless\n\n                                 - 56 -\n\x0csystem and to migrate ACS data into Sentinel. Project costs and\nfunding are also somewhat uncertain. The OIG will continue to\nmonitor and periodically issue audit reports throughout the four\noverlapping phases of the FBI\xe2\x80\x99s Sentinel project in an effort to track\nthe FBI\xe2\x80\x99s progress and identify any emerging concerns.\n\nRecommendations\n\n      We recommend that the FBI:\n\n      1. Ensure the management reserve is based on an assessment\n         of project risks for each phase and for the project overall.\n\n      2. Periodically update the estimate of total project costs as\n         actual cost data is available.\n\n      3. Complete contingency plans as required by the Sentinel Risk\n         Management Plan.\n\n      4. Ensure that the IV&V process is conducted through project\n         completion.\n\n      5. Complete hiring as soon as possible for the vacant PMO\n         positions needed during the current phase of the project.\n\n\n\n\n                                 - 57 -\n\x0c               STATEMENT ON COMPLIANCE WITH\n                   LAWS AND REGULATIONS\n\n      This audit assessed the FBI\xe2\x80\x99s implementation of the contract for\nits Sentinel case management project. In connection with the audit,\nas required by the Government Auditing Standards, we reviewed\nmanagement processes and records to obtain reasonable assurance\nthat the FBI\xe2\x80\x99s compliance with laws and regulations that, if not\ncomplied with, in our judgment, could have a material effect on FBI\noperations. Compliance with laws and regulations applicable to the\nFBI\xe2\x80\x99s management of the Sentinel project is the responsibility of the\nFBI\xe2\x80\x99s management.\n\n      Our audit included examining, on a test basis, evidence about\nlaws and regulations. The specific laws and regulations against which\nwe conducted our tests are contained in the relevant portions of:\n\n     \xe2\x80\xa2   OMB Circular A-11 and Memorandum M-05-23,\n     \xe2\x80\xa2   Executive Order 13356 (superseded by "Executive Order\n         13388: Further Strengthening the Sharing of Terrorism\n         Information to Protect Americans," dated October 25, 2005),\n     \xe2\x80\xa2   DOJ Order 2880.1b,\n     \xe2\x80\xa2   Federal Acquisition Regulations,\n     \xe2\x80\xa2   FBI Life Cycle Management Directive,\n     \xe2\x80\xa2   Department of Defense Programmer\xe2\x80\x99s Guide to the Integrated\n         Baseline Review,\n     \xe2\x80\xa2   American National Standards Institute/Electronic Industries\n         Alliance Standard 748A: Earned Value Management Systems,\n         and\n     \xe2\x80\xa2   National Defense Industrial Association Earned Value\n         Management System Intent Guide and Surveillance Guide.\n\n      Our audit identified no areas where the FBI was not in\ncompliance with the laws and regulations referred to above. With\nrespect to transactions that were not tested, nothing came to our\nattention that caused us to believe that FBI management was not in\ncompliance with the laws and regulations cited above.\n\n\n\n\n                                 - 58 -\n\x0c               STATEMENT ON INTERNAL CONTROLS\n\n      In planning and performing our audit of the FBI\xe2\x80\x99s contract for its\nSentinel project, we considered the FBI\xe2\x80\x99s internal controls for the\npurpose of determining our audit procedures. This evaluation was not\nmade for the purpose of providing assurance on the internal control\nstructure as a whole. However, we noted certain matters that we\nconsider to be reportable conditions under the Government Auditing\nStandards.\n\n       Reportable conditions involve matters coming to our attention\nrelating to significant deficiencies in the design or operation of the\ninternal control structure that, in our judgment, could adversely affect\nthe FBI\xe2\x80\x99s ability to manage its Sentinel project. During our audit, we\nfound the following internal control deficiencies.\n\n      \xe2\x80\xa2   Funding for Sentinel Phase 2 not completely identified.\n\n      \xe2\x80\xa2   Contingency plans for project risks need to be developed.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s Program Management Office for Sentinel is not yet\n          fully staffed.\n\n      Because we are not expressing an opinion on the FBI\xe2\x80\x99s internal\ncontrol structure as a whole, this statement is intended solely for the\ninformation and use of the FBI in contracting for the Sentinel project.\nThis restriction is not intended to limit the distribution of this report,\nwhich is a matter of public record.\n\n\n\n\n                                  - 59 -\n\x0c                                                           APPENDIX 1\n\n            OBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjective\n\n       The objectives of this audit were to determine: (1) the progress\nthe FBI has made in resolving the concerns identified in our first report\non the planning for Sentinel, and (2) if the contract with Lockheed\nMartin and the FBI\xe2\x80\x99s ITIM processes and project management are\nlikely to contribute to the successful implementation of Sentinel.\n\nScope and Methodology\n\n      The audit was performed in accordance with the Government\nAuditing Standards, and included tests and procedures necessary to\naccomplish the audit objective. We conducted work at the FBI\nHeadquarters in Washington, DC, and at the FBI Sentinel Program\nManagement Office in McLean, VA.\n\n       To perform our audit, we interviewed officials from the FBI, DEA,\nATF, DHS, and the Department of Justice. We also interviewed\nofficials from Lockheed Martin and other contractors supporting the\nPMO. We reviewed documents related to the Sentinel contract; cost\nand budget documentation; Sentinel plans, processes and guidelines;\nand the prior OIG Sentinel report.\n\n      To evaluate the FBI\xe2\x80\x99s implementation of the Sentinel contract,\nwe examined the contract as well as associated amendments and\ndocumentation, underlying cost estimates, and methodologies for\ncontract modifications. We interviewed officials responsible for cost\nestimates, source selection, and contract award and implementation.\n\n      To update issues identified in the OIG\xe2\x80\x99s March 2006 Sentinel\naudit report, we interviewed responsible FBI and contractor officials\nand reviewed plans and procedures for IV&V, EVM, cost tracking,\ninformation sharing, and training. We also interviewed FBI officials\nand obtained updated status on issues related to financial\nreprogramming and PMO staffing.\n\n\n\n\n                                 - 60 -\n\x0c                                                    APPENDIX 2\n\n                        ACRONYMS\n\nACS     Automated Case Support\nANSI    American National Standards Institute\nATF     Bureau of Alcohol, Tobacco, Firearms and Explosives\nBEARS   Budget Execution and Analysis      Reporting System\nCFO     Chief Financial Officer\nCIO     Chief Information Officer\nCOTR    Contracting Officer\xe2\x80\x99s Technical Representative\nCOTS    Commercial Off-the-Shelf\nDEA     Drug Enforcement Administration\nDHS     Department of Homeland Security\nDIRB    Department Investment Review Board\nEIA     Electronic Industries Alliance\nEVM     Earned Value Management\nFBI     Federal Bureau of Investigation\nFICMS   Federal Investigative Case Management System\nFMS     Financial Management System\nFY      Fiscal Year\nGAO     Government Accountability Office\nGEMPC   Government\xe2\x80\x99s Estimated Most Probable Cost\nGOTS    Government Off-the-Shelf\nIBR     Integrated Baseline Review\nIOC     Initial Operational Capability\nIMPRB   Investment Management Project Review Board\nITIM    Information Technology Investment Management\nIT      Information Technology\nIV&V    Independent Verification & Validation\nLCMD    Life Cycle Management Directive\nLInX    Law Enforcement Information Exchange\nMOU     Memorandum of Understanding\nNIEM    National Information Exchange Model\nO&M     Operations and Maintenance\nOCIO    Office of the Chief Information Officer\nOCM     Organization Change Management\nOIG     Office of the Inspector General\nOMB     Office of Management and Budget\nPMO     Program Management Office\nR-DEx   Regional Data Exchange\n\n\n\n                            - 61 -\n\x0cRFC   Request For Change\nUNI   Universal Index\nVCF   Virtual Case File\n\n\n\n\n                           - 62 -\n\x0c                                                            APPENDIX 3\n\n                PRIOR REPORTS ON THE FBI\xe2\x80\x99S\n                 INFORMATION TECHNOLOGY\n\n      Below is a listing of relevant reports discussing the FBI\xe2\x80\x99s\ninformation technology systems. These include reports issued by the\nDepartment of Justice, Office of the Inspector General (OIG), the\nGovernment Accountability Office (GAO), and by other external entities\nas well as FBI internal reports.\n\nPrior OIG Reports on FBI Case Management Efforts\n\n      In March 2006, the OIG issued a report entitled The Federal\nBureau of Investigation\xe2\x80\x99s Pre-Acquisition Planning For and Controls\nOver the Sentinel Case Management System. The report found that\nthe FBI had taken important steps to address its past mistakes in\nplanning for the development of Sentinel. The report identified the\nfollowing areas of concern:\n\n     \xe2\x80\xa2   the incomplete staffing of the PMO,\n\n     \xe2\x80\xa2   the FBI\xe2\x80\x99s ability to reprogram funds to complete the second\n         phase of the project without jeopardizing its mission-critical\n         operations,\n\n     \xe2\x80\xa2   Sentinel\xe2\x80\x99s ability to share information with external\n         intelligence and law enforcement agencies and provide a\n         common framework for other agencies\xe2\x80\x99 case management\n         systems,\n\n     \xe2\x80\xa2   the lack of an established EVM process,\n\n     \xe2\x80\xa2   the FBI\xe2\x80\x99s ability to track and control Sentinel\xe2\x80\x99s costs, and\n\n     \xe2\x80\xa2   the lack of complete documentation required by the FBI\xe2\x80\x99s\n         ITIM processes.\n\n      The OIG concluded that these areas of concern required action\nand continued monitoring by the FBI, the OIG, and other interested\nparties.\n\n\n\n                                  - 63 -\n\x0c      In February 2005, the OIG issued a report entitled, The Federal\nBureau of Investigation\xe2\x80\x99s Management of the Trilogy Information\nTechnology Management Project, which encompassed Sentinel\xe2\x80\x99s\npredecessor, the Virtual Case File (VCF). The OIG recommended the\nFBI take the following steps:\n\n     \xe2\x80\xa2   Replace the obsolete ACS system as quickly and as cost\n         effectively as feasible.\n\n     \xe2\x80\xa2   Reprogram FBI resources to meet the critical need for a\n         functional case management system.\n\n     \xe2\x80\xa2   Freeze the critical design requirements for the case\n         management system before initiating a new contract and\n         ensure that the contractor fully understands the requirements\n         and has the capability to meet them.\n\n     \xe2\x80\xa2   Incorporate development efforts for the VCF into the\n         development of the requirements for any successor case\n         management system.\n\n     \xe2\x80\xa2   Validate and improve as necessary financial systems for\n         tracking project costs to ensure complete and accurate data.\n\n     \xe2\x80\xa2   Develop policies and procedures to ensure that future\n         contracts for IT-related projects include defined requirements,\n         progress milestones, and penalties for deviations from the\n         baselines.\n\n     \xe2\x80\xa2   Establish management controls and accountability to ensure\n         that baselines for the remainder of the current user\n         applications contract and any successor Trilogy-related\n         contracts are met.\n\n     \xe2\x80\xa2   Apply ITIM processes to all Trilogy-related and any successor\n         projects.\n\n     \xe2\x80\xa2   Monitor the Enterprise Architecture being developed to ensure\n         timely completion as scheduled.\n\n     The report concluded that the difficulties experienced in\ncompleting the Trilogy project were partially attributable to:\n\n\n                                 - 64 -\n\x0c(1) design modifications the FBI made as a result of refocusing its\nmission from traditional criminal investigations to preventing\nterrorism, (2) poor management decisions early in the project,\n(3) inadequate project oversight, (4) a lack of sound IT investment\npractices, and (5) not applying lessons learned over the course of the\nproject.\n\nExternal Reports on FBI Case Management Efforts\n\n      In May 2006, the GAO released a report titled Weak Controls\nover Trilogy Project Led to Payment of Questionable Contractor Costs\nand Missing Assets that was critical of the FBI\xe2\x80\x99s controls over costs and\nassets of its Trilogy project. The GAO found that the FBI\xe2\x80\x99s review and\napproval process for Trilogy contractor invoices did not provide an\nadequate basis for verifying that goods and services billed were\nactually received and that the amounts billed were appropriate, leaving\nthe FBI highly vulnerable to payments of unallowable costs. These\ncosts included first-class travel and other excessive airfare costs,\nincorrect charges for overtime hours, and charges for which the\ncontractors could not document costs incurred. The GAO found\nunsupported and questionable costs in the amount of $10 million. The\nGAO also found that the FBI failed to establish controls to maintain\naccountability over equipment purchased for the Trilogy project.\nAccording to the GAO, poor property management led to 1,200\nmissing pieces of equipment valued at $7.6 million.\n\n       The National Research Council issued a report in May 2004\nentitled A Review of the FBI\xe2\x80\x99s Trilogy Information Technology\nModernization Program. The report found that the program was not\non a path to success, and identified the following needs:\n\n      \xe2\x80\xa2   valid contingency plan for transitioning from the old case\n          management system to the new one,\n\n      \xe2\x80\xa2   completed Enterprise Architecture,\n\n      \xe2\x80\xa2   adequate time for testing the new system prior to\n          deployment,\n\n      \xe2\x80\xa2   improved contract management processes, and\n\n      \xe2\x80\xa2   expanded IT human resources base.\n\n\n                                  - 65 -\n\x0c      The report concluded that the FBI had made significant progress\nin some areas of its IT modernization efforts, such as the\nmodernization of the computing hardware and baseline software and\nthe deployment of its networking infrastructure. However, because\nthe FBI\xe2\x80\x99s IT infrastructure was inadequate in the past, there was still\nan enormous gap between the FBI\xe2\x80\x99s IT capabilities and the capabilities\nthat were urgently needed.\n\n      The report was updated in June 2004 as a result of what the\nCouncil deemed clear evidence of progress being made by the FBI to\nmove ahead in its IT modernization program. This included the\nappointment of a permanent CIO and the formation of a staffed\nprogram office for improved IT contract management. The progress\nbeing made by the FBI appeared to the Council to have been more\nrapid than expected, although many challenges remained. The Council\nalso emphasized that the FBI\xe2\x80\x99s missions constitute increasingly\ninformation-intensive challenges, and the ability to integrate and\nexploit rapid advances in IT capabilities will only become more critical\nwith time. The update concluded that even with perfect program\nmanagement and execution, substantial IT expenses on an ongoing\nbasis are inevitable and must be anticipated in the budget process if\nthe FBI is to maximize the operational leverage that IT offers.\n\n       In September 2004, the GAO issued a report entitled,\nInformation Technology: Foundational Steps Being Taken to Make\nNeeded FBI Systems Modernization Management Improvements. This\nreport stated that although improvements were under way and more\nwere planned, the FBI did not have an integrated plan for modernizing\nits IT systems. Each of the FBI\xe2\x80\x99s divisions and other organizational\nunits that manage IT projects performs integrated planning for its\nrespective IT projects. However, the plans did not provide a common,\nauthoritative, and integrated view of how IT investments will help\noptimize mission performance, and they did not consistently contain\nthe elements expected to be found in effective systems modernization\nplans. The GAO recommended that the FBI limit its near-term\ninvestments in IT systems until the FBI developed an integrated\nsystems and modernization plan and effective policies and procedures\nfor systems acquisition and investment management. Additionally, the\nGAO recommended that the FBI\xe2\x80\x99s CIO be provided with the\nresponsibility and authority to effectively manage IT FBI-wide.\n\n\n\n\n                                 - 66 -\n\x0c     In April 2005, the House Surveys and Investigations staff issued\nA Report to the Committee on Appropriations, U.S. House of\nRepresentatives, which concluded that:.\n\n      \xe2\x80\xa2   VCF development suffered from a lack of program\n          management expertise, disciplined systems engineering\n          practices, and contract management. The project also was\n          affected by a high turnover of Chief Information Officers and\n          program managers.\n\n      \xe2\x80\xa2   VCF development was negatively impacted by the FBI\xe2\x80\x99s lack\n          of an empowered and centralized Office of Chief Information\n          Officer and sound business processes by which IT projects are\n          managed.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s decision to terminate VCF was related to\n          deficiencies in the VCF product delivered, failure of a pilot\n          project to meet user needs, and the new direction the FBI\n          planned to take for its case management system.\n\n      \xe2\x80\xa2   The FBI\xe2\x80\x99s IT program management business structure and\n          processes were, for the most part, in place, although some of\n          these processes needed to mature.\n\nFBI Internal Reports on Case Management\n\n      The FBI hired the Aerospace Corporation to perform an\nassessment of Commercial Off-the-Shelf (COTS) and Government Off-\nthe-Shelf (GOTS) systems that could be used in developing a case\nmanagement system and also an Independent Verification and\nValidation of Trilogy\xe2\x80\x99s Virtual Case File. In December 2004, the\ncontractor issued the COTS/GOTS Trade Study, which recommended\nthat the FBI look to systems that have an emphasis on data sharing.\nThe contractor further recommended that an acquisition strategy be\ndeveloped that includes an incremental deployment of core capabilities\nand the incremental addition of such components as intelligent search\nand reporting and specific analytic capabilities.\n\n       The contractor released the Independent Verification and\nValidation of the Trilogy Virtual Case File, Delivery 1: Final Report in\nJanuary 2005. The report recommended discarding the VCF and\nstarting over with a COTS-based solution. The contractor concluded\nthat a lack of effective engineering discipline had led to inadequate\n\n                                   - 67 -\n\x0cspecification, design, and development of VCF. Further, the contractor\ncould find no assurance that the architecture, concept of operations\nand requirements were correct or complete, and no assurance that\nthey could be made so without substantial rework. In sum, the\ncontractor reported that VCF was a system whose true capability was\nunknown, and whose capability may remain unknown without\nsubstantial time and resources applied to remediation.\n\nOther OIG Reports on the FBI\xe2\x80\x99s IT\n\n      OIG reports issued over the past 15 years have highlighted\nissues concerning the FBI\xe2\x80\x99s utilization of IT, including its investigative\nsystems. For example, in 1990 the OIG issued a report entitled The\nFBI\xe2\x80\x99s Automatic Data Processing General Controls. This report\ndescribed 11 internal control weaknesses and found that:\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s phased implementation of its 10-year Long\n            Range Automation Strategy, scheduled for completion in\n            1990, was severely behind schedule and may not be\n            accomplished;\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s Information Resources Management program\n            was fragmented and ineffective, and the FBI\xe2\x80\x99s Information\n            Resources Management official did not have effective\n            organization-wide authority;\n\n      \xe2\x80\xa2     The FBI had not developed and implemented a data\n            architecture; and\n\n      \xe2\x80\xa2     The FBI\xe2\x80\x99s major mainframe investigative systems were\n            labor intensive, complex, untimely, and non-user friendly\n            and few agents used these systems.\n\n       The OIG\xe2\x80\x99s July 1999 special report, The Handling of FBI\nIntelligence Information Related to the Justice Department\xe2\x80\x99s Campaign\nFinance Investigation, reported that FBI personnel were not well-\nversed in the ACS system and other databases.\n\n      A March 2002 OIG report, entitled An Investigation of the\nBelated Production of Documents in the Oklahoma City Bombing Case,\nanalyzed the causes for the FBI\xe2\x80\x99s belated delivery of many documents\nin the Oklahoma City bombing case. This report concluded that the\nACS system was extraordinarily difficult to use, had significant\n\n                                  - 68 -\n\x0cdeficiencies, and was not the vehicle for moving the FBI into the 21\ncentury. The report noted that inefficiencies and complexities in the\nACS, combined with the lack of a true information management\nsystem, were contributing factors in the FBI\xe2\x80\x99s failure to provide\nhundreds of investigative documents to the defendants in the\nOklahoma City bombing case.\n\n       In May 2002, the OIG issued a report on the FBI\xe2\x80\x99s administrative\nand investigative mainframe systems entitled the Independent\nEvaluation Pursuant to the Government Information Security Reform\nAct, Fiscal Year 2002. The report identified continued vulnerabilities\nwith management, operational, and technical controls within the FBI.\nThe report stated that these vulnerabilities occurred because the\nDepartment and FBI security management had not enforced\ncompliance with existing security policies, developed a complete set of\npolicies to effectively secure the administrative and investigative\nmainframes, or held FBI personnel responsible for timely correction of\nrecurring findings. Further, the report stated that FBI management\nhad been slow to correct identified weaknesses and implement\ncorrective action and, as a result, many of these deficiencies repeated\nyear after year in subsequent audits.\n\n       In December 2002, the OIG issued a report on The FBI\xe2\x80\x99s\nManagement of Information Technology Investments, which included a\ncase study of the Trilogy project. The report made 30\nrecommendations, 8 of which addressed the Trilogy project. The\nreport\xe2\x80\x99s focus was on the need to adopt sound investment\nmanagement practices as recommended by the GAO. The report also\nstated that the FBI did not fully implement the management processes\nassociated with successful IT investments. Specifically, the FBI had\nfailed to implement the following critical processes:\n\n     \xe2\x80\xa2     defining and developing IT investment boards,\n\n     \xe2\x80\xa2     following a disciplined process of tracking and overseeing\n           each project\xe2\x80\x99s cost and schedule milestones over time,\n\n     \xe2\x80\xa2     identifying existing IT systems and projects,\n\n     \xe2\x80\xa2     identifying the business needs for each IT project, and\n\n     \xe2\x80\xa2     using defined processes to select new IT project proposals.\n\n\n                                 - 69 -\n\x0cThe audit found that the lack of critical IT investment management\nprocesses for Trilogy contributed to missed milestones and led to\nuncertainties about cost, schedule, and technical goals.\n\n\n\n\n                                - 70 -\n\x0c                                                          APPENDIX 4\n\n       COST ESTIMATING METHODOLOGIES USED IN THE\n         INDEPENDENT GOVERNMENT COST ESTIMATE\n\n      The Independent Government Cost Estimate methodology\ninvolves the use of six cost estimating techniques, detailed below. The\nmethod chosen to estimate each element of the project was based on\nthe availability of technical and cost data.\n\nParametric Modeling - The parametric technique uses a compilation\nof historical data to formulate functional relationships (or models).\nThese relationships are then used to predict the cost of the new\nsystem. The costs for custom-developed software were estimated\nusing a commercial parametric modeling tool, CostXpert. Cost\nEstimating Relationships are a form of parametric estimation, but are\nseparately defined for clarification.\n\nCost Estimating Relationships \xe2\x80\x93 Cost Estimating Relationships are\nfactors that are applied against the known costs of a portion of the\nsystem under consideration to estimate the costs of an unknown\nportion of the system.\n\nAnalogy - Analogy estimation involves drawing parallels between the\nsystem under consideration and other systems for which technical and\ncost information is known.\n\nEngineering Assessment - The engineering or "bottom-up"\ntechnique aggregates a cost estimate from resource estimates made\nat the lowest level possible. Often the estimate is compiled by\ndetermining the unit cost of each system component, multiplying by\nthe quantity, and aggregating the results to product total system\ncosts.\n\nVendor Quote - The vendor quote technique consists of gathering\ncost information directly from specific vendors, contract vehicles, and\ncatalog resources.\n\nHistorical - The historical technique consists of using relevant past\ncost data from similar items to estimate the cost of the current item.\n\n\n\n\n                                 - 71 -\n\x0c                                                                            APPENDIX 5\n\n                                       RISK REGISTER\n\nRank   Risk Condition        Risk                  Impact   Mitigation Strategy\n                             Consequence           Phase\n1      New model for         Regarding APG,        1        M1. Actively engage parallel\n       data access and       parallel                       development efforts; develop MOUs for\n       control (access       development                    content, interfaces and funding\n       rules) may impact     efforts may                    strategy; incorporate into Sentinel plans\n       Sentinel\xe2\x80\x99s schedule   result in changes              as appropriate.\n       and budget.           to Sentinel                    M2. Identify critical interfaces and the\n                             functional                     phase they may impact Sentinel.\n                             content or                     M3. Establish WG to help establish ICDs\n                             interface                      with other projects (ICWG).\n                             requirements                   M4. Establish MOUs with other projects\n                             and consume                    as applicable.\n                             significant                    M5. Identify source of additional funding\n                             resources.                     if required.\n                                                            M6. Document external systems and\n                                                            interface requirements for inclusion in\n                                                            the solicitation.\n                                                            M7. Establish a working partnership and\n                                                            collaborate with the legacy systems\xe2\x80\x99\n                                                            owning organization (ITOD).\n\n2      User requirements     Funding and           2        M1. Place the SRS under configuration\n       may change            schedule will not              control prior to RFP release.\n       significantly as a    support project                M2. Maintain strict requirements and\n       result of the BPR     completion.                    configuration controls throughout the\n       initiative and                                       project.\n       impact Sentinel\xe2\x80\x99s                                    M3. Ensure user advocacy group is the\n       schedule and                                         focal point for all user changes/needs.\n       budget.                                              M4. Ensure contractors are aware and\n                                                            adhere to change process, including\n                                                            communication with user community.\n                                                            M5. Ensure core FBI capabilities are\n                                                            addressed early in system development.\n                                                            M6. Ensure continuous feedback with\n                                                            user community.\n                                                            M7. Concurrence of SRS contents to be\n                                                            achieved by each division.\n\n\n\n\n                                                 - 72 -\n\x0cRank   Risk Condition         Risk                 Impact   Mitigation Strategy\n                              Consequence          Phase\n3      Absent an              Time spent on        2        M1 Seek FBI definition of authoritative\n       authoritative          creating Role                 identify attributes and authoritative\n       source of identity     Based Access                  sources\n       attributes, Sentinel   Control may                   M2 Establish identity attribute\n       must internally        impact schedule.              standards for Sentinel and FBI use\n       develop identity                                     M3 Seek FBI clarification of target\n       attributes for Role                                  directory architecture to support\n       Based Access                                         centralized management of authoritative\n       Control, and                                         identity attributes\n       impact to be\n       consistent with FBI\n       Enterprise Service\n       Directory Service\n       requirements is\n       unknown.\n\n4      Development            Project plans,       2        PM1. Identify the Government and\n       contractor hiring is   schedules and                 support contractor resources, (and\n       lagging resource       scope will require            associated timeline, skills, et al.) in the\n       need to complete       modification;                 Sentinel Project Plan.\n       design work.           Sentinel vision               PM2. Assess the realism of Contractor\n                              prolonged/ not                staffing during Source Selection.\n                              achieved.                     PM3. Define security clearance\n                                                            requirements consistent with the access\n                                                            required by Development contractor\n                                                            personnel, likely reducing the number of\n                                                            TS security clearances required.\n                                                            M4. Require staffing plan submission,\n                                                            with clearance status, in project review\n                                                            reporting\n                                                            M5. Ensure active govt involvement in\n                                                            VAR resolution\n                                                            M6. LM has opened up hiring to all\n                                                            corporate divisions and Sentinel\n                                                            subcontractors and Corporate HR is\n                                                            assisting with surge support.\n\n5      Lack of attendance     Poor or slow user    1        M1-- Review the prime contractor\'s\n       or participation by    acceptance of                 approach to market and provide\n       users in training.     Sentinel.                     outreach for each Sentinel phase.\n                                                            M2-- Validate training approach with\n                                                            pilot user group to be followed by\n                                                            Bureau executive endorsement.\n                                                            M3--Identify method to achieve or\n                                                            require sufficient level of training\n                                                            participation.\n\n\n\n\n                                                 - 73 -\n\x0cRank   Risk Condition       Risk                 Impact   Mitigation Strategy\n                            Consequence          Phase\n6      Activities related   1. Requires GFE      1        Consequence 1.\n       to data cleansing    Data Staging                  M1 Use new staging or SIT hardware to\n       of data from         partition by                  perform data cleansing. Delay data\n       phased out legacy    11/1/06 (in FBI               cleaning until receipt of hardware.\n       systems may have     facility with C&A\n       been                 complete and                  Consequence 2a.\n       underestimated.      Oracle 10g with               M1 Data Migration alternative trade\n                            RAC installed).               studies (IMS UID 2070 &3955)\n                            2a. Cleansed\n                            data will not be              Consequence 2b.\n                            placed back into              M1 Data Migration alternative trade\n                            ACS which can                 studies (IMS UID 2070 &3955)\n                            result in a long\n                            term data                     Consequence 3.\n                            synchronization               M1 Cleansing to be done only in FBI\n                            problem.                      Facility\n                            2b. Placing                   M2 Access limited to select group read\n                            cleansed data                 into "process". FBI only?\n                            back into the\n                            legacy data base              Consequence 4.\n                            may impact                    M1 Remove IMS dependencies between\n                            those continuing              Data Cleansing and DCR/PDR/CDR\n                            to use legacy\n                            applications.\n                            3. Need to\n                            maintain security\n                            control of data in\n                            staging area\n                            (Data will not be\n                            protected by ACS\n                            or Sentinel\n                            access controls)\n                            4. Data cleansing\n                            is a Phase 2 risk\n                            mitigation\n                            activity and\n                            should not delay\n                            Phase 1 critical\n                            path activities.\n\n\n\n\n                                             - 74 -\n\x0cRank   Risk Condition       Risk                Impact   Mitigation Strategy\n                            Consequence         Phase\n7      The evolving         To preclude non-    1        \xe2\x88\x9aM1. Monitor evolving standards;\n       Enterprise           compliance with              perform impact assessments; present\n       Architecture can     Enterprise                   assessments to TRB; file deviation\n       present new          Standards,                   request or incorporate as appropriate\n       design constraints   incorporation of             \xe2\x88\x9aM2. Participate in TRB and EAB and\n       to Sentinel          changes,                     evaluation of technical inputs. EC\n                            deviations,                  submitted\n                            and/or corrective            \xe2\x88\x9aM3. Develop method to influence EA,\n                            actions will                 standards list, and monitor enterprise\n                            impact cost,                 mandates (sys arch Mike Reed)\n                            schedule and                 \xe2\x88\x9aM4. Establish ICWG\n                            scope.                       \xe2\x88\x9aM5. Ensure EA changes are forwarded\n                                                         to Sentinel for review and impact, with\n                                                         RFC developed if appropriate\n                                                         \xe2\x88\x9aM6. System Architect hired and has\n                                                         direct liaison with Enterprise Architect\n                                                         chief.\n\n8      Data migration       Some data may       2        PM1. Identify all required data elements\n       from phased-out      be lost or                   PM2. Develop mapping of ACS elements\n       legacy systems       compromised, or              to Sentinel data requirements\n       may have been        ACS may not be               M3. Develop migration plan to support\n       underestimated       able to be                   data conversion to new environment\n                            replaced                     M4. Develop test plan to validate\n                                                         migration strategy\n                                                         \xe2\x88\x9aM5. Ensure management funds\n                                                         adequate to provide analysis if required.\n                                                         M6. Work with ITOD to determine scope\n                                                         of effort\n                                                         M7. Review results of previous data\n                                                         cleansing efforts for issues, provide\n                                                         lessons learned to LM\n                                                         M8. Ensure system design provides for\n                                                         migration.\n                                                         M9. Integration of data, design and\n                                                         migration IPTs\n\n\n\n\n                                              - 75 -\n\x0cRank   Risk Condition         Risk                  Impact   Mitigation Strategy\n                              Consequence           Phase\n9      Use of PKI requires    The risk here is      2        M3 - Transfer Bureau roll-out and use of\n       the user to change     fundamentally                  PKI enabled infrastructure to Trilogy\n       their logon routine    one of having                  prior to the Sentinel use so that the\n       from a                 users fail to                  issue is addressed for most users\n       UID/Password           accept Sentinel                independent of Sentinel.\n       approach to using      because of, or in              M4 - Decision will have to be made as to\n       tokens, readers,       association with,              whether to use non-PKI enabled\n       and pin numbers.       their negative                 authentication for Phase 1. (Contractor\n       The transition to      reaction to their              must implement some form of\n       this mode of logon     initial use of PKI-            authentication for "non-general" users)\n       will inevitably        enabled logon                  M5 - Add PKI to communications\n       antagonize many                                       strategy (get the word out in training\n       users, although,                                      and all communications, etc.)\n       once they get used\n       to it they most\n       likely will not find\n       it problematic.\n\n10     Proposed               Imprecise             2        M1 Investigate Intelligence Community\n       Controlled             requirements                   certified products.\n       Interface solution     could lead to\n       does not meet the      scope creep.                   M2 Evaluate cross domain design and\n       requirements for                                      present a design at Program Design\n       information                                           Review (PDR) that most effectively\n       sharing with                                          meets required functionality and cross\n       systems classified                                    domain security requirements.\n       higher than\n       Collateral Secret                                     M3 Evaluate product and design\n       (e.g., with                                           recommendations and adjudicate via\n       Intelligence                                          Engineering Review Board (ERB) and\n       Community) and                                        Sentinel Configuration and Change\n       with systems at a                                     Management Board (SCCMB).\n       lower classification\n       level (e.g., state\n       and local law\n       enforcement).\n\n\n\n\n                                                - 76 -\n\x0cRank   Risk Condition        Risk                Impact   Mitigation Strategy\n                             Consequence         Phase\n11     LCMS is an            Parallel            1        M1. Actively engage parallel\n       interface to          development                  development efforts; develop MOUs for\n       Sentinel, but the     efforts may                  content, interfaces, and funding\n       legacy program        result in changes            strategy; incorporate into SENTINEL\n       continues to          to Sentinel\'s                plans as appropriate\n       modify the            functional or                \xe2\x88\x9aM2. Identify critical interfaces and the\n       application,          interface                    phase that they may impact Sentinel\n       thereby adding to     requirements                 \xe2\x88\x9aM3. Establish WG to help establish\n       Sentinel\'s risk for   that may cause               ICDs with other projects (ICWG)\n       uncontrolled          delays or                    M4. Establish MOUs with other projects\n       scope, schedule,      increase cost.               as applicable\n       and cost.                                          M5. Identify source of additional\n                                                          funding if required\n                                                          PM6. Document external systems and\n                                                          interface requirements for inclusion in\n                                                          the solicitation.\n                                                          PM7. Establish a working partnership\n                                                          and collaborate with the legacy systems\xe2\x80\x99\n                                                          owning organization (ITOD).\n\n12     Privacy Impact        Cost and            2        M1-- Work with OGC to define the hard\n       Assessment (PIA)      schedule could               system requirements and verify against\n       requirements          expand to                    the SRS, include OGC (PIA centric)\n       impact cost and       accommodate                  personnel in our high level design\n       schedule              new                          meetings, so they can understand what\n                             requirements                 and how various data elements are\n                                                          being used.\n                                                          M2-- Work with OGC and DNI to\n                                                          accommodate \'interim, best guess\'\n                                                          requirements; comply with RFC process\n                                                          as requirements firm up\n                                                          M3-- Document DNI/OGC guidance\n                                                          through use of ECs\n\n\n\n\n                                              - 77 -\n\x0cRank   Risk Condition         Risk                Impact   Mitigation Strategy\n                              Consequence         Phase\n13     N-Dex is an            Parallel            2        M1. Actively engage parallel\n       interface to           development                  development efforts; develop MOUs for\n       SENTINEL, but the      efforts may                  content, interfaces, and funding\n       program continues      result in changes            strategy; incorporate into Sentinel plans\n       to modify the          to Sentinel\'s                as appropriate\n       application,           functional or                \xe2\x88\x9aM2. Identify critical interfaces and the\n       thereby adding to      interface                    phase that they may impact Sentinel\n       Sentinel\'s risk for    requirements                 \xe2\x88\x9aM3. Establish WG to help establish\n       uncontrolled           that may cause               ICDs with other projects (ICWG)\n       scope, schedule,       delays or                    M4. Establish MOs with other projects\n       and cost.              increase cost.               as applicable\n                                                           M5. Identify source of additional\n                                                           funding if required\n                                                           PM6. Document external systems and\n                                                           interface requirements for inclusion in\n                                                           the solicitation.\n                                                           PM7. Establish a working partnership\n                                                           and collaborate with the legacy systems\xe2\x80\x99\n                                                           owning organization (ITOD).\n                                                           M8. RFP to extend program has been\n                                                           published.\n\n14     Audit Services         Parallel            2        M1. Actively engage parallel\n       (ESOC) is an           development                  development efforts; develop MOUs for\n       interface to           efforts may                  content, interfaces, and funding\n       Sentinel, but the      result in changes            strategy; incorporate into Sentinel plans\n       legacy program         to Sentinel\'s                as appropriate\n       continues to           functional or                \xe2\x88\x9aM2. Identify critical interfaces and the\n       modify the             interface                    phase that they may impact Sentinel\n       application,           requirements                 \xe2\x88\x9aM3. Establish WG to help establish\n       thereby adding to      that may cause               ICDs with other projects (ICWG)\n       Sentinel\'s risk for    delays or                    M4. Establish MOUs with other projects\n       uncontrolled           increase cost.               as applicable\n       scope, schedule,       ArcSight client              M5. Identify source of additional\n       and cost. ESOC         may impact                   funding if required\n       plans to use           Sentinel network             PM6. Document external systems and\n       ArcSight, a COTS       connectivity,                interface requirements for inclusion in\n       application LMSI       bandwidth and                the solicitation.\n       also plans to use in   loads from                   PM7. Establish a working partnership\n       Sentinel.              passing data.                (an IPT) and collaborate with the legacy\n                                                           systems\xe2\x80\x99 owning organization (ITOD).\n\n\n\n\n                                              - 78 -\n\x0cRank   Risk Condition        Risk                  Impact   Mitigation Strategy\n                             Consequence           Phase\n15     DEEP is to be         Parallel              3        M1. Actively engage parallel\n       replaced by           development                    development efforts; develop MOUs for\n       Sentinel, but the     efforts may                    content, interfaces, and funding\n       legacy program        result in changes              strategy; incorporate into Sentinel plans\n       continues to          to Sentinel\'s                  as appropriate\n       modify the            functional or                  \xe2\x88\x9aM2. Identify critical interfaces and the\n       application,          interface                      phase that they may impact Sentinel\n       thereby adding to     requirements                   \xe2\x88\x9aM3. Establish WG to help establish\n       Sentinel\'s risk for   that may cause                 ICDs with other projects (ICWG)\n       uncontrolled          delays or                      M4. Establish MOUs with other projects\n       scope, schedule,      increase cost                  as applicable\n       and cost.                                            M5. Identify source of additional\n                                                            funding if required\n                                                            PM6. Document external systems and\n                                                            interface requirements for inclusion in\n                                                            the solicitation.\n                                                            PM7. Establish a working partnership\n                                                            and collaborate with the legacy systems\xe2\x80\x99\n                                                            owning organization (ITOD).\n\n\n\n\n16     Requirement           Integrated            3        M1. Ensure min. functionality\n       definitions           solution will not              requirements can be identified\n       necessitate           facilitate                     M2. Conduct analysis of minimum\n       inordinate            expansion of                   requirements vs. proposed technical\n       customization of      services                       solution\n       selected              throughout the                 M3. Ensure at each phase and design\n       COTS/GOTS             enterprise as                  review that solution is extendible to the\n       products (custom      envisioned                     enterprise\n       code)                                                M4. Tag milestones by phase to\n                                                            program schedule for monitoring\n\n\n\n\n                                                 - 79 -\n\x0cRank   Risk Condition        Risk                Impact   Mitigation Strategy\n                             Consequence         Phase\n\n17     EDMS is an            Parallel            4        M1. Actively engage parallel\n       interface to          development                  development efforts; develop MOUs for\n       Sentinel, but the     efforts may                  content, interfaces, and funding\n       legacy program        result in changes            strategy; incorporate into Sentinel plans\n       continues to          to Sentinel\'s                as appropriate\n       modify the            functional or                \xe2\x88\x9aM2. Identify critical interfaces and the\n       application,          interface                    phase that they may impact Sentinel\n       thereby adding to     requirements                 \xe2\x88\x9aM3. Establish WG to help establish\n       Sentinel\'s risk for   that may cause               ICDs with other projects (ICWG)\n       uncontrolled          delays or                    M4. Establish MOUs with other projects\n       scope, schedule,      increase cost.               as applicable\n       and cost.                                          M5. Identify source of additional\n                                                          funding if required\n                                                          PM6. Document external systems and\n                                                          interface requirements for inclusion in\n                                                          the solicitation.\n                                                          PM7. Establish a working partnership\n                                                          and collaborate with the legacy systems\xe2\x80\x99\n                                                          owning organization (ITOD).\n\n18     GUARDIAN is to be     Parallel            4        M1. Actively engage parallel\n       replaced by           development                  development efforts; develop MOUs for\n       Sentinel, but the     efforts may                  content, interfaces, and funding\n       legacy program        result in changes            strategy; incorporate into Sentinel plans\n       continues to          to Sentinel\'s                as appropriate\n       modify the            functional or                \xe2\x88\x9aM2. Identify critical interfaces and the\n       application,          interface                    phase that they may impact Sentinel\n       thereby adding to     requirements                 \xe2\x88\x9aM3. Establish WG to help establish\n       Sentinel\'s risk for   that may cause               ICDs with other projects (ICWG)\n       uncontrolled          delays or                    M4. Establish MOUs with other projects\n       scope, schedule,      increase cost                as applicable\n       and cost.                                          M5. Identify source of additional\n                                                          funding if required\n                                                          PM6. Document external systems and\n                                                          interface requirements for inclusion in\n                                                          the solicitation.\n                                                          PM7. Establish a working partnership\n                                                          and collaborate with the legacy systems\xe2\x80\x99\n                                                          owning organization (ITOD).\n\n\n\n\n                                             - 80 -\n\x0cRank   Risk Condition        Risk                  Impact   Mitigation Strategy\n                             Consequence           Phase\n\n19     Policy does not       The lack of policy    1        M1 There is a requirement to have a\n       currently exist to    could delay the                data model that is compliant with the\n       support the           implementation                 latest version of the Global Justice XML\n       sharing of Sentinel   of information                 standard. This should accommodate the\n       information with      sharing                        appropriate data elements. The\n       external agencies.    capabilities.                  program will track with the appropriate\n                                                            FBI divisions and the Global Justice XML\n                                                            standards groups to ensure that as\n                                                            updates occur; this information can be\n                                                            passed back to the appropriate Sentinel\n                                                            committees for action.\n\n20     Development           Disaster event                 M1 Develop a well defined Disaster\n       environment data      causes loss of                 Recovery Plan with contingencies for all\n       is lost or            SEI/                           types of anticipated disasters.\n       corrupted.            Development\n                             data resulting in\n                             key milestone/\n                             schedule\n                             slippages.\n\n\n\n\n                                                 - 81 -\n\x0c                                                          APPENDIX 6\n\n         THE FBI\xe2\x80\x99S LIFE CYCLE MANAGEMENT DIRECTIVE\n\n      The FBI\xe2\x80\x99s IT Systems Life Cycle Management Directive (LCMD) is\ncomprised of interrelated components. They include Life Cycle Phases,\nControl Gate Reviews & Boards, and Project Level Reviews. Sentinel is\ncurrently in the Design phase of the LCMD.\n\nPhases\n\n      The LCMD has established nine phases that occur during the\ndevelopment, implementation, and retirement of IT projects. During\nthese phases, specific requirements must be met for the project to\nobtain the necessary FBI management approvals to proceed to the\nnext phase.\n\nControl Gate Reviews & Boards\n\n      The approvals to proceed from one phase to the next occur\nthrough seven control gates, where management boards meet to\ndiscuss and approve or disapprove a project\xe2\x80\x99s progression to future\nphases of development and implementation. The seven control gate\nreviews provide management control and direction, decision-making,\ncoordination, confirmation of successful performance of activities, and\ndetermination of a system\xe2\x80\x99s readiness to proceed to the next life cycle\nphase.\n\nProject-Level Reviews\n\n      Project-level Reviews support the IT Systems Life Cycle process.\nProject Level Reviews determine program or project readiness to\nproceed to the next activities of the project life cycle. Each Project\nLevel Review feeds information up to the Executive-level Control\nGates, as data is developed and milestones are completed.\n\n\n\n\n                                 - 82 -\n\x0c                          FBI LCMD PHASES\n\n   PHASE NAME                                DESCRIPTION\n\n1. Concept Exploration     Identifies the mission need, develops and\n                           evaluates alternate solutions, and develops the\n                           business plan.\n\n2. Requirements            Defines the operational, technical and test\n   Development             requirements, and initiates project planning.\n\n3. Acquisition Planning    Allocates the requirements among the\n                           development segments, researches and applies\n                           lessons learned from previous projects, identifies\n                           potential product and service providers, and\n                           identifies funding.\n\n4. Source Selection        Solicits and evaluates proposals and selects the\n                           product and service providers.\n\n5. Design                  Creates detailed designs for system components,\n                           products, and interfaces; establishes testing\n                           procedures for a system\xe2\x80\x99s individual components\n                           and products and for the testing of the entire\n                           system once completed.\n\n6. Development and         Produces and tests all system components,\n   Test                    assembles and tests all products, and plans for\n                           system testing.\n\n7. Implementation and      Executes functional, interface, system, and\n   Integration             integration testing; provides user training; and\n                           accepts and transitions the product to operations.\n\n8. Operations and          Maintains and supports the product, and manages\n   Maintenance             and implements necessary modifications.\n\n9. Disposal                Shuts down the system operations and arranges\n                           for the orderly disposition of system assets\n\n\n\n\n                                 - 83 -\n\x0c                   FBI LCMD CONTROL GATE REVIEWS\n\n GATE                               DESCRIPTION\n\nGate 1   System Concept Review approves the recommended system concept\n         of operations and occurs at the end of Phase 1 of LCMD.\n\nGate 2   Acquisition Plan Review approves the Systems Specification and\n         Interface Control documents as developed in Phase 2 and the\n         approach and resources required to acquire the system as defined in\n         the Acquisition Plan as developed in Phase 3.\n\nGate 3   Final Design Review approves the build-to and code-to documentation\n         and associated draft verification procedures. It also ensures that the\n         design presented can be produced and will meet its design-to\n         specification at verification. The gate review occurs after the\n         contractor is selected in Phase 4 and system design is completed in\n         Phase 5.\n\nGate 4   Deployment Readiness Review approves the readiness of the system\n         for deployment in the operational environment. The gate review\n         occurs after the system is developed and tested in Phase 6. Approval\n         through the Gate 4 signifies readiness for the system implementation.\n\nGate 5   System Test Readiness Review verifies readiness to perform an\n         official system-wide data gathering verification test for either\n         qualification or acceptance. The gate review occurs mid-way through\n         Phase 7.\n\nGate 6   Operational Acceptance Review approves overall system and product\n         validation by obtaining customer acceptance and determining\n         whether the operations and maintenance organization agrees to, and\n         has the ability to, support continuous operations of the system. The\n         gate review occurs at the end of Phase 7.\n\nGate 7   Disposal Review authorizes termination of the Operations and\n         Maintenance life cycle phase and disposes of system resources. The\n         gate review occurs at the end of Phase 8 and results in Phase 9.\n\n\n\n\n                                  - 84 -\n\x0cEXECUTIVE REVIEW BOARDS RESPONSIBLE FOR CONTROL\n                  GATE REVIEWS\n\n  \xe2\x80\xa2   The IMPRB leads the System Concept Review and the\n      Acquisition Plan Review (Control Gates 1 and 2) and ensures\n      that all IT acquisitions are aligned and comply with FBI\n      policies, strategic plans, and investment management\n      requirements.\n\n  \xe2\x80\xa2   The Technical Review Board leads the Final Design Review\n      (Control Gate 3) and ensures that IT systems comply with\n      technical requirements and meet FBI needs.\n\n  \xe2\x80\xa2   The Change Management Board leads the Deployment\n      Readiness Review, System Test Readiness Review,\n      Operational Acceptance Review and the Disposal Review\n      (Control Gates 4 through 7) and controls and manages\n      developmental and operational efforts that change the FBI\'s\n      operational IT environment.\n\n  \xe2\x80\xa2   The Enterprise Architecture Board ensures that IT systems\n      comply with Enterprise Architecture requirements.\n\n  \xe2\x80\xa2   The IT Policy Review Board establishes, coordinates,\n      maintains and oversees implementation of IT policies.\n\n\n\n\n                             - 85 -\n\x0c      PROJECT LEVEL REVIEWS: CONCEPT EXPLORATION PHASE\n                    THROUGH DESIGN PHASE\n\n      REVIEW NAME                              DESCRIPTION\n\n1. Mission Needs Review      Examines the user need or technological\n                             opportunity, the deficiencies in the current set of\n                             systems, alternative and the proposed solution,\n                             and a business case or rationale for further\n                             investigating changes to the FBI\xe2\x80\x99s information\n                             systems.\n\n2. System Specification      The decision point to proceed with the\nReview                       development of an Acquisition Plan, the allocation\n                             of high level system requirements to segment\n                             specifications, and the development of Project\n                             Plans that will manage the acquisition.\n\n3. Source Selection          Approves source selection results and authorizes\nAcquisition Review           contract negotiations.\n\n4. Contract Implementation   The first Review between the customer and the\nReview                       solution provider following a contract award.\n\n\n5. Requirements              Ensures the solution provider has a full\nClarification Review         understanding of the requirements for the system\n                             or segment and can articulate this understanding\n                             through proposed implementations of the\n                             requirement.\n\n6. Design Concept Review     A review of the decomposition of the system or\n                             product (hardware, software, and manual\n                             operations).\n\n7. Preliminary Design        Can be a single event or can be spaced out over\nReview                       time during the Design Phase to cover logical\n                             groupings of configuration items.\n\n\n\n\n                                   - 86 -\n\x0c- 87 -\n\x0c                                                          APPENDIX 7\n\n        PMO STAFF POSITIONS AND RESPONSIBILITIES\n\nProgram Leadership\n\n      The Sentinel program leadership consists of a program manager\nand a deputy program manager who are responsible for ensuring the\noverall success of the Sentinel project.\n\nDirect Reporting Staff\n\n     The direct reporting staff includes the following:\n\n        \xe2\x80\xa2   Contract Officer \xe2\x80\x94 oversees all Sentinel contract\n            executions, including contractor task-order compliance,\n            prepares change orders or other contract modifications as\n            required, and also monitors contractual performance.\n\n        \xe2\x80\xa2   Contract Officer Technical Representative \xe2\x80\x94 assists\n            Contracting Officer in technical oversight.\n\n        \xe2\x80\xa2   General Counsel \xe2\x80\x94 provides legal advice to the program\n            manager and deputy program manager.\n\n        \xe2\x80\xa2   Communications \xe2\x80\x94 assists the program manager in\n            relaying program information.\n\nOrganization Change Management\n\n       Organizational Change Management (OCM) is responsible for\npreparing Sentinel users to accept and utilize Sentinel\xe2\x80\x99s capabilities.\nOCM provides a formal path for receiving new user-originated\nrequirements during the implementation of the system. The OCM\nteam includes special agents, intelligence analysts, and professional\nstaff who are on temporary duty assignments to the Sentinel program.\n\nBusiness Management\n\n      The Business Management organizational unit develops and\nmaintains program investments, budget, and spending plans. The\nteam also monitors, analyzes, and reports on the program\xe2\x80\x99s Earned\nValue Management status.\n\n\n\n                                - 88 -\n\x0cAdministrative Support\n\n     The Administrative Support staff directs the administrative and\nsupport services required by the Program Management Office.\n\nProgram Integration\n\n      The Program Integration staff is responsible for developing and\nmaintaining the Sentinel project baseline and then tracking progress\nand risks against that baseline. This team is also responsible for\ncoordinating external interfaces development plans and dependency\nschedules.\n\nSystem Development.\n\n      The System Development staff is responsible for the overall\nsystem design and its implementation increments. This team is also\nresponsible for the technical performance outcome of the Sentinel\nprogram and is accountable for the systems requirements and the\ndelivery of a system whose technical performance meets users\xe2\x80\x99\nexpectations.\n\nTransition\n\n       The Transition team is responsible for all activities associated\nwith the transition of Sentinel phase capability from its development to\neventual use by the FBI user community.\n\nOperations and Maintenance\n\n       The Operations and Maintenance staff is responsible for the\noperations and maintenance of the deployed Sentinel capabilities until\nit reaches full operation capability. At which time this responsibility\nwill be transferred to the FBI\xe2\x80\x99s Information Technology Operations\nDivision.\n\n\n\n\n                                 - 89 -\n\x0c                                          APPENDIX 8\n\nTHE FEDERAL BUREAU OF INVESTIGATION\xe2\x80\x99S RESPONSE TO THE\n                    DRAFT REPORT\n\n\n\n\n                        - 90 -\n\x0c- 91 -\n\x0c- 92 -\n\x0c                                                          APPENDIX 9\n\n      OFFICE OF THE INSPECTOR GENERAL ANALYSIS AND\n     SUMMARY OF ACTIONS NECESSARY TO CLOSE REPORT\n\n       Pursuant to the OIG\xe2\x80\x99s standard audit process, the OIG provided\na draft of this audit report to the FBI on October 27, 2006, for its\nreview and comment. The FBI\xe2\x80\x99s November 7, 2006, response is\nincluded as Appendix 8 of this final report. The FBI concurred with the\nfive recommendations in the audit report. Our analysis of the FBI\xe2\x80\x99s\nresponse to the five recommendations is provided below.\n\n      The OIG also provided a draft of this report to Lockheed\nMartin for its review and comment. The comments Lockheed Martin\nprovided were incorporated into this final report as appropriate.\n\nResponse to Recommendations\n\n1. Resolved. In response to this recommendation, the FBI stated\n   that the Sentinel PMO will work with the Finance Division and\n   senior FBI management to determine the appropriate amount of\n   the management reserve for each phase. The PMO believes that\n   11 percent is an appropriate overall reserve amount and that the\n   amount of each phase\xe2\x80\x99s reserve may be adjusted based on a\n   comprehensive assessment of risk. The FBI also noted that,\n   through its Finance Division, the FBI\xe2\x80\x99s Deputy Director governs the\n   use of the management reserve. This recommendation can be\n   closed when we receive documentation showing the management\n   reserve is based on an assessment of the project risks for each\n   phase and for the project overall.\n\n2. Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n   agreement to periodically update its estimate of total project costs\n   as actual cost data is available. The FBI said that since the award\n   of the Sentinel contract, the PMO has worked in conjunction with\n   Lockheed Martin and the Finance Division to revise projected\n   program costs as appropriate. The FBI said it will communicate\n   any changes to program costs through budget requests and the\n   OMB Exhibit 300 process. This recommendation can be closed\n   when we receive documentation showing the FBI has periodically\n   updated the estimate of total project costs as actual cost data\n   becomes available.\n\n\n\n\n                                 - 93 -\n\x0c3. Resolved. This recommendation is resolved based on the FBI\xe2\x80\x99s\n   agreement to complete contingency plans as required by the\n   Sentinel Risk Management Plan. The FBI noted that Version 2 of\n   the FBI\xe2\x80\x99s Risk Management Plan, recently released by its Office of\n   IT Policy and Planning, requires contingency triggers and\n   contingency plans only for high risks. The FBI said the Sentinel\n   Risk Management Plan is being revised to comply with this new\n   policy. However, the FBI advised us that Sentinel had identified its\n   first high risk in mid-October and was developing a contingency\n   plan to address it. This recommendation can be closed when we\n   receive documentation showing that the FBI has completed\n   contingency plans as required by the Sentinel Risk Management\n   Plan.\n\n4. Resolved. The FBI agrees with this recommendation, stating that\n   it will provide experienced contractors to conduct an independent\n   verification and validation process throughout the project. The\n   independent verification and validation contractor will report to the\n   FBI\xe2\x80\x99s CIO on both the performance of Lockheed Martin and the\n   Sentinel PMO. This recommendation can be closed when we\n   receive documentation showing that the FBI has ensured that the\n   independent verification and validation process is conducted\n   through project completion.\n\n5. Resolved. The FBI agrees with this recommendation and said that\n   the Sentinel PMO continues to work aggressively to fill government\n   and contractor positions. The FBI noted that the two vacancies\n   cited in our report represent less than five percent of the PMO\xe2\x80\x99s\n   total staff. The Sentinel PMO believes this vacancy rate is\n   significantly less than government and industry levels. The FBI\n   said that the Sentinel PMO requires contractors to have existing\n   security clearances, allowing its contractors to fill vacancies\n   usually within 30 days. The six operations and maintenance\n   vacancies discussed in our report are currently being finalized for\n   recruitment. This recommendation can be closed when we receive\n   documentation showing that the FBI has completed hiring for the\n   vacant PMO positions needed during the current project phase.\n\n\n\n\n                                 - 94 -\n\x0c'